The Drug Enforcement Administration's Management of Enterprise Architecture and Information Technology Investments
Report Number 04-36
Office of the Inspector General
To implement the five stages of the EA Management Framework, the DEA must also complete four critical success attributes: 1) demonstrates commitment, 2) provides the capability to meet the commitment, 3) demonstrates satisfaction of commitment, and 4) verifies satisfaction of commitment. Each attribute contains core elements that contribute to the effective implementation and institutionalization of the critical success attribute. Collectively, these attributes form the basis by which an organization can institutionalize management of any given function or program.
Stage 1. At this stage, there are no core elements to be completed. However, the DEA must create an awareness of the value of developing and using an EA by providing the management foundation necessary for successful EA development as defined in Stage 2.13
Stage 2. To complete this stage, the DEA needs to: 1) assign EA management roles and responsibilities; 2) commit the resources - people, processes, and tools - necessary to develop an architecture; and 3) establish plans to develop EA products and measure program progress and EA product quality. As of April 2004, the DEA had completed about 90 percent of the EA Management Framework criteria for meeting the Stage-2 level of maturity.
Stage 3. The DEA is moving from building the EA management foundation to developing EA products for Stage 3. To complete Stage 3, the DEA must: 1) establish organization policy for the EA development; 2) ensure that EA products are under configuration management; 3) ensure that EA products describe both the current and target environments of the agency; and 4) ensure that progress against EA plans is measured and reported.14 As of April 2004, the DEA had completed one EA product - the current architecture.
Stage 4. Additional work must be completed before the EA is used as intended in Stage 4 - to drive sound IT investments that are consistent with the DEA's goals and missions. To complete the stage, the DEA needs to: 1) establish policy for maintaining the EA, and 2) complete the EA including the current and target architectures along with the transition plan to get from the current to the targeted environments. The completed EA must be described in terms of business, data, application, and technology and the descriptions must address security; and it must be approved by the DEA's CIO and the Executive Review Board. The DEA is working on adding more detail to the high-level description of its current EA and developing the target architecture, for a completion date by September 2004.
Stage 5. To reach Stage 5 maturity, an agency is using the EA as intended - to drive IT investments and ensure systems' interoperability. The DEA has not completed the EA Management Framework criteria for Stage 5, however, once Stage 4 has been completed in September 2004, the DEA will then be in a position to implement its EA as required in Stage 5. The status of each EA Management Framework stage in the DEA follows.
The DEA has created an awareness of the value of developing and using the EA by providing the management foundation necessary for successful EA development as defined in Stage 2. Specifics about how the DEA accomplished this are discussed in detail in Stage 2.
The DEA has completed eight of the nine core elements required by the EA Management Framework and has achieved three of the four critical attributes. The remaining attribute to be completed is verifying that management's commitment to the establishment of the EA has been satisfied through the development of measures for EA progress, quality, compliance, and return on investment.
Critical Attribute 1: Demonstrates Commitment
To complete the first critical attribute for Stage 2 of the EA Management Framework, the DEA demonstrated its commitment to building an EA management foundation by establishing two core elements:
Adequate Resources. According to the EA Management Framework, obtaining adequate resources includes: 1) identifying and securing the funding necessary to support EA activities; 2) hiring and retaining the right people with the proper knowledge, skills, and abilities to plan and execute the EA program; and 3) selecting and acquiring the right tools and technology to support EA activities.
The DEA initiated the development of an EA program in 2002 and estimates that it will cost approximately $2.7 million to complete the EA by September 2004. The following table shows the DEA's expenditures as of FY 2003 to develop an EA and the estimated cost to complete the EA to Stage 5, or full maturity.
EA Development Cost
In FY 2002, the DEA spent $667,000 from its base appropriations for EA development. In FY 2003 the DEA requested an additional $400,000 to continue developing EA, but the funding was not approved. According to the DEA's EA Chief Architect, approval of the requested amount would have allowed the DEA to complete a detailed description of the existing architecture more quickly.15 She also stated that the DEA was able to contract out the EA development project using funds from other sources.
The DEA has allocated 4.25 full time equivalent staff - but assigned 3.25 full time equivalent staff (.5 managers, .5 staff members, and 2.25 contractors) - in support of EA efforts and completion of the current EA. The Deputy Assistant Administrator of the DEA's Office of Information Systems, which is the office responsible for developing the DEA's EA, is currently serving as the Chairman of the Department's EA committee. The Chief Architect, who established the foundation for the DEA's EA, had transferred to the DEA from the Department's Justice Management Division where she had dealt with technology issues. The DEA's Program Office has two senior analysts and one junior analyst assigned to work on completing the EA.16 Additionally, the DEA hired a contractor in October 2003 to aid in the completion of the EA.
In addition to funding and human resources, the DEA has acquired tools and technology to support its EA activities. The DEA uses the Popkin System Architect (Popkin) as its automated EA tool.17 According to the Chief Architect, one reason the DEA chose Popkin is that the Department is also using Popkin and the future integration of the DEA's EA with the Department's EA may be more easily achieved. Because the DEA has just recently begun using the Popkin tool, we did not assess its effectiveness in clearly and completely documenting the DEA's EA, but we agree that using the same tool as the Department should aid in the future integration of the agency's EA with the Department's EA.
EA Governing Committees. The EA Management Framework states that an agency should assign responsibility for directing, overseeing, and approving architectures to a committee or group with cross-representation from throughout the enterprise. Establishing agencywide responsibility and accountability is important to demonstrate the agency's commitment to building a management foundation for the EA and obtaining buy-in from across the agency. Accordingly, the committee or group should include executive-level representatives from each line of the business, and these executive representatives should have the authority to commit resources and enforce decisions within their respective organizational units.
To meet the requirements of the EA Management Framework, the DEA established three governing committees: 1) the Executive Review Board, 2) the Business Council, and 3) the Compliance Council. Together, the three governing committees are responsible for ensuring that the DEA's EA meets all federal and Departmental requirements.
The Executive Review Board is responsible for providing leadership to implement a managed IT capital planning and investment control process. The IT capital planning and investment process includes the development and maintenance of an agencywide EA. The Executive Review Board has the authority to recommend or approve:
The Executive Review Board's responsibility to the EA development consists of approving the completed EA and any subsequent changes. Consequently, it would not meet until the EA is completed. At this point of the EA development process, the EA Program Office is responsible for ensuring the integrity of the EA in meeting the DEA's mission and goals.
The DEA's Chief Information Officer and the DEA's CFO jointly chair the Executive Review Board. In our judgment, the membership of the Executive Review Board demonstrates an agencywide leadership commitment to the EA process.18 The Executive Review Board membership consists of the following:
The Business Council's primary responsibility is to ensure that projects and investments recommended by program managers are consistent with the DEA's mission, strategic plan, capital planning goals, EA, and security policy. The Business Council members function as the working level experts for the ITIM process by providing business expertise specific to their respective business unit. The Business Council's membership is at the Grade-15 level and includes a representative from every organizational unit within the DEA. The Deputy Assistant Administrator, Office of Information Systems, chairs the Business Council.
The Compliance Council is responsible for evaluating IT investments and the DEA's EA to ensure compliance with legislative regulations and DEA policy. The Compliance Council consists of members whose day-to-day responsibilities involve a compliance area. The members work to ensure compliance with such areas as the Federal Enterprise Architecture, the Government Performance and Results Act, and the Government Information Security Reform Act. The Chief of the Strategic Business Management Section, Office of Information Systems chairs this committee.
Critical Attribute 2: Provides Capability to Meet Commitment
The completion of the second critical attribute for achieving Stage 2 requires the DEA to establish three core elements:
The DEA has implemented the three core elements above to achieve Critical Attribute 2.
EA Program Office. The EA Management Framework states that EA development and maintenance should be managed as a formal program. Accordingly, responsibility for EA management should be assigned to an organizational unit and not an individual. The CIO Practical Guide, discussed in the Background section of this report, states that the primary responsibility of the EA Program Office is to ensure the success of the EA program.
In response to the Framework and the CIO Practical Guide, the DEA reorganized its Office of Information Systems to include a Strategic Business Analysis Section as the EA Program Office (Program Office). The Program Office is responsible for the development and maintenance of the DEA EA.
To accomplish its responsibility, the Program Office coordinates with offices throughout the DEA as well as external IT organizations; assists DEA customers in developing their concepts and plans for the application of IT to their business processes; and also assists customers with the ITIM process. Further, the Office of Information Systems proposed a staffing level that would enable the Program Office to complete its work. The following table shows the Strategic Business Analysis Section's proposed staffing level, and the staffing level as of February 2004.
Proposed Staffing for the
As the above table shows, the section's staff consists of a chief, three computer specialists, and one management analyst. Two of the three computer specialists on board were assigned to help complete the EA. As of April 2004, seven contractor personnel were allocated to the section, but only four had completed the security clearance process and were on board.
Even though the proposed staffing level for the section was not fully achieved, the DEA began developing the EA and implementing the ITIM process.19 As stated previously, the DEA has documented its high-level current architecture outlining the agency's business areas, applications, data, and technology. According to the DEA's Chief Architect, not having the full complement of staff slowed progress toward completing the EA.
Chief Architect. The CIO Practical Guide and the EA Management Framework state that an agency should appoint an executive as Chief Architect, who is responsible and accountable for the EA, and whose background and qualifications include both the business and technology areas of the organization. Additionally, the Chief Architect is responsible for ensuring the integrity of the EA development process and for the content of the EA products.
The DEA appointed the head of the Strategic Business Analysis Section as the Chief Architect. As discussed previously, this person transferred from the Department's Justice Management Division where she participated in business (including budgeting) and technology issues. The Chief Architect is responsible for:
Framework, Methodology, and Automated Tool. The DEA uses a combination of two frameworks to develop its EA. One framework is known as the Federal Enterprise Architecture Framework (FEAF), and the other is the Zachman Framework - named after John Zachman, a recognized leader in the EA field.
The FEAF is intended to provide federal agencies with a common way of constructing their respective architectures.20 According to the GAO, the FEAF facilitates the coordination of common business processes, technology insertion, information flows, and system investments among federal agencies. The FEAF describes an approach, including models and definitions, for developing and documenting architecture descriptions for different segments of the federal government. Similar to the Zachman Framework, the FEAF's proposed model describes an entity's business, data necessary to conduct the business, applications to manage the data, and technology to support the applications.
The Zachman Framework provides six perspectives, or viewpoints, on how an agency operates: 1) the strategic planner, 2) the system user, 3) the system designer, 4) the system developer, 5) the subcontractor, and 6) the system itself. The Zachman Framework also provides six models associated with each of the six viewpoints: 1) how the agency operates, 2) what the agency uses to operate, 3) where the agency operates, 4) who operates the agency, 5) when the agency's operations occur, and 6) why the agency operates.
The DEA saw benefits in both frameworks and combined these two concepts in developing its EA. However, the DEA has been more concerned about ensuring that the EA aligns with the FEAF since that framework will eventually be used by the entire federal government.
The DEA's methodology to develop its EA is a three-phase approach.
Phase 1. Includes documenting, at a high-level, what currently exists within the DEA in terms of business areas, applications, data, and technology.
Phase 2. Includes 1) providing more detail to the current architecture, 2) goals and objectives stated in the Department and the DEA strategic plans, 3) performance measures, 4) aligning the DEA's architecture with the Federal Enterprise Architecture reference models, and 5) aligning the architecture with the DEA's capital planning process.
Phase 3. Includes the establishment of the target architecture, including security compliance and the development of a transition plan.
The DEA completed Phase 1 of the EA development in December 2002. In February 2003, the DEA's CIO submitted the high-level description of the DEA's current EA to the three DEA IT governing boards for inclusion in the budget process. In March 2004, the DEA told us that its contractor completed Phase 2, and the DEA was in the process of reviewing the contractor's work for compliance with the FEAF requirements. As of April 2004, the DEA had not begun Phase 3 of the EA project.
An EA automated tool serves as the storehouse of the architecture products. Architecture products include the current and target architectures and the transition plan. The choice of tool is based on the agency's needs and the size and complexity of the architecture. As stated previously, the DEA has chosen the Popkin automated tool to store its architecture products. The DEA chose Popkin because the Department is also using Popkin and the future integration of the DEA's EA with the Department's EA may be more easily achieved. Because the DEA has just recently begun using the Popkin tool, we did not assess its effectiveness in clearly and completely documenting the DEA's EA, but we agree that using the same tool as the Department should aid in the future integration of both EAs.
Critical Attribute 3: Demonstrates Satisfaction of Commitment
The completion of the third critical attribute for achieving Stage 2 requires the DEA to establish an EA Program Plan that includes the following core elements:
We evaluated the DEA's EA Program Plan and found that the plan complies with the criteria established in the framework, and demonstrates completion of the third critical attribute.
Current and Target Architectures, and Transition Plan. The CIO Council requires that agencies have a written EA Program Plan. The plan should describe the steps to be taken and the tasks to be performed in managing the EA program. The plan should also make provision for the development of architectural descriptions of how the organization currently operates (the current), how it intends to operate in the future (the target), and how it will transition from the current to the target environment (the transition).
The DEA has developed a plan in accordance with the CIO Council's guidelines. According to the DEA Program Plan, the DEA will:
Security. In the Program Plan, the DEA states that the requirements associated with information security are guided by legislation, including the Federal Information Security Management Act. As a result, the security elements of the EA will be embedded within the target EA as a specific EA layer.
The plan requires the DEA's EA to comply with EA regulations and guidance available to federal agencies. The DEA is using various guidance to complete the EA including: Annual Performance Plan, Strategic Plan, IT Strategic Planning, IT Capital Planning, EA Analyses Reports, Communications Plan, IT Governance Plan, and Transition Plan. According to the DEA, the guidance is used in establishing a balance between the detail of the architecture and cost constraints of the architecture program.
Detailed analyses of the current architecture will allow the DEA to identify areas in which applications could be combined and where future investments are necessary. The results of these analyses form the basis for the target architecture. As stated previously, the DEA has completed a high-level description of its current architecture and is working on adding more detail to the current architecture and beginning to develop the high-level target architecture. The current architecture describes to the DEA the current state of business operations and information exchange within and across the organization, but it does not show where the DEA wants to go in the future.
Critical Attribute 4: Verifies Satisfaction of Commitment
The completion of the fourth critical attribute to achieve Stage 2 requires the DEA to ensure that the Program Plan calls for the following core element:
The measurement of EA progress, quality, and compliance is necessary to ensure that the EA meets the targeted milestones and is compliant with the necessary regulatory requirements. Measuring return on investment would tell the DEA what benefits are realized by the development of the EA in relation to the cost of the EA development.
Developing Metrics for Measuring EA Progress. The DEA has not yet established metrics for measuring EA progress, quality, compliance, and return on investment. The DEA Chief Architect told us that these metrics would be developed at a later unspecified date.
EA Stage 2 Summary
The DEA has completed nearly 90 percent of Stage 2 and has made progress toward attaining Stage 3 as required by the EA Management Framework.
In Stage 3, the DEA must implement six core elements within the four critical attributes required by the EA Management Framework. The DEA has partially completed one of the four critical attributes, critical attribute 3, which requires the DEA to ensure that the current and target architectures are described in terms of business, data, application, and technology.
Critical Attribute 1: Demonstrate Commitment
To complete the first critical attribute for Stage 3 of the EA Management Framework, the DEA must establish the following core element:
According to the EA Management Framework, an organization policy is an important means for ensuring agencywide commitment to developing the EA and for clearly assigning responsibility for doing so. The architecture policy should define the scope of the architecture as including a description of the current and target architecture, as well as a transition plan that supports the move from the current to the target architecture. Additionally, the policy should provide for having processes for EA oversight and control, review, and validation. The policy should also address the purpose and value of an EA; its relationship to the organization's strategic vision and plans; and its relationship to capital planning process.
The DEA has not established a formal written and approved organization policy for the EA development. However, the DEA has established the required elements of the EA development policy in different ways.
As described in Stage 2, the DEA established the IT governing boards with representation from all DEA business areas to ensure agencywide commitment to EA development. The DEA also established the EA Program Office with responsibility for developing the EA. In addition, the EA Program Management Plan - discussed in Stage 2 - outlines the scope of the architecture including a description of the current and target architecture, as well as the transition plan. The EA Program Management Plan also addresses EA oversight, control, review, and validation responsibilities. Further, the DEA's CIO outlined the value of the EA, its relationship to the organization's strategic vision and plans, and the capital-planning process in the DEA's IT Strategic Plan. However, having the EA development information together in the form of an organization policy will allow any DEA staff member to consult one document for information concerning the development and implementation of the DEA EA.
Critical Attribute 2: Provides Capability to Meet Commitment
The completion of the second critical attribute for achieving Stage 3 maturity requires the DEA to establish the following core element:
As of May 2004, the DEA current architecture had not met this standard. The DEA's Chief Architect told us that configuration management within the DEA is evolving and the DEA is moving toward establishing an office to manage it.
At the time of our audit, the DEA was in the process of establishing a Quality Management Unit within the Office of Information Systems. The Quality Management Unit will be responsible for configuration management of the DEA IT infrastructure including the EA. The EA is intended to reflect the impact of ongoing changes in business function and technology on the agency, and support capital planning and investment management in keeping up with these changes. Consequently, the completed EA - current architecture, target architecture, and transition plan - need to be kept accurate and current.
Critical Attribute 3: Demonstrates Satisfaction of Commitment
The completion of the third critical attribute for achieving Stage 3 maturity requires the DEA establish three core elements:
Current and Target Architectures, and Transition Plan. According to the EA Program Plan, EA products will describe the current and target agency environments as well as the transition plan. As stated earlier, the DEA has not completed all components of the EA. However, it has completed a high-level description of its existing architecture and has plans to complete the target architecture and transition plan by September 2004.
The EA Program Plan also states that EA products - current and target architectures and the transition plan - will be described in terms of business, data, application, and technology. To show its commitment to the plans outlined in the EA Program Plan, the DEA's high-level description of the existing architecture was described in terms of business, data, application, and technology.
Security. In the EA Program Plan, the DEA stated that security would be addressed as a specific layer within the target architecture.
Critical Attribute 4: Verifies Satisfaction of Commitment
The completion of the fourth critical attribute to achieve Stage 3 maturity requires the DEA to establish the following core element:
As stated in Stage 2, the DEA has not established metrics for measuring EA progress. The measurement of such progress against EA development plans is necessary to ensure that the development meets targeted milestones.
EA Stage 3 Summary
The DEA has made limited progress toward attaining Stage 3 maturity of the EA Management Framework. The DEA has developed one EA product, the high-level current architecture. The high-level current architecture meets the requirements of the EA Management Framework in terms of the business, data, application, and technology areas. However, the DEA lacks a written and approved policy for EA development, implementation, and maintenance. In addition, the DEA must ensure that when completed, all EA products undergo configuration management and that the target architecture addresses security as outlined in the EA program plan.
To complete Stage 4, an agency must: 1) establish policy for maintaining the EA, and 2) complete the EA including the current and target architectures along with the transition plan to get from the current to the targeted environments. The completed EA must be described in terms of business, data, application, and technology; and the descriptions must address security and be approved by the agency CIO and the committee or group representing the agency or the investment review board. The DEA has not established a formal written organization policy for maintaining the EA. However, the document creating the EA Program Management Office outlines the procedures for maintaining the EA.
To attain Stage 4 maturity, additional work must be completed before the EA is used as intended - to drive sound IT investments that are consistent with the DEA's goals and missions. Currently, the DEA is working on adding more detail to the high-level description of its EA and developing the target architecture. The following chart shows the DEA's timeline for completing its EA by September 2004.
The DEA's target architecture will define the vision of the DEA's future business operations and supporting technology and will also describe the desired capability and structure of the business processes, information needs, and IT infrastructure at some point in the future. Just as the current architecture captured the existing business practices, functionality, and information flows, the target architecture will reflect what the DEA needs to evolve its information resources.
The target architecture, when completed, will identify the:
According to the CIO Council, a target architecture should:
The DEA's Chief Architect told us that the development of a target architecture is the most time-consuming and costly portion of the EA development. However, a target architecture is necessary to evaluate whether current IT investments are capable of taking the DEA into the technology future.
According to the CIO Council, the process of evolving from an existing architecture to a target architecture is complex and requires multiple inter-related activities. The best way to understand and control such a complex process is to develop and maintain a systems migration roadmap, or transition plan.
A transition plan provides a step-by-step process for moving from a current architecture to a target architecture. Such a plan is the primary tool used for program management and investment decisions because the plan represents the current environment as well as any development programs that are planned or underway. To remain current and to support continued coordinated improvements across an agency, a transition plan should be maintained and updated as time and circumstances dictate.
In addition to specific development requirements for the new components in a target architecture, a transition plan should consider including a wide variety of inputs such as:
A transition plan defines and differentiates between legacy, migration, and new systems. The legacy systems and their applications are those in current operation and usually are phased out during the deployment of a target architecture. Migration systems and applications may be in current operation, but certainly will be in operation when the transition begins and for some time into the future. New systems and applications are those that are being acquired, are under development, or are being deployed. The new systems and applications are expected to be operational as part of the target environment.
A transition plan should form the basis for the DEA's annual IT capital investment plan, which is a key ITIM component. Until the DEA develops a transition plan, there is a risk that it may invest in technology that does not meet the DEA's missions and goals.
EA Stage 4 Summary
To complete its EA, the DEA must develop the target architecture and a transition plan to allow the EA to do as intended - to drive IT investments.
According to the EA Management Framework, an organization at Stage 5 maturity has: 1) completed the EA, and 2) secured senior leadership approval of it. In addition, at Stage 5 decision-makers are using the architecture to identify and address ongoing and proposed IT investments that are conflicting, overlapping, not strategically linked, or redundant. Thus, Stage 5 agencies are able to avoid unwarranted overlap across investments and ensure maximum systems interoperability, which in turn ensures the selection and funding of IT investments with manageable risks and returns. In essence, an agency at Stage 5 maturity is using the EA as intended - to drive IT investments and ensure systems interoperability.
EA Stage 5 Summary
The DEA cannot meet Stage-5 requirements of the EA Management Framework until it completes the EA.
The DEA continues to make progress toward completing an EA in accordance with available guidance and frameworks and has begun to effectively manage its EA with the aspects completed to date. As of April 2004, the DEA had completed nearly 90 percent of the EA Management Framework criteria for meeting the Stage 2 level of maturity. The DEA has completed eight of the nine core elements for Stage 2 required by the EA Management Framework and thereby has achieved three of the four critical attributes.
The DEA has demonstrated its commitment to complete the EA by: 1) obtaining senior management buy-in through the EA governing committees; 2) reorganizing its Office of Information Technology Systems to include an office focused on the development, implementation, and maintenance of the EA; and 3) appointing a Chief Architect to ensure the integrity of the EA development process, and by selecting a framework, methodology, and automated tool to aid in completing the EA.
The DEA has made limited progress toward attaining Stage 3 maturity of the EA Management Framework. The DEA has developed one EA product, the high-level current architecture, which meets the requirements of the EA Management Framework in terms of the business, data, application, and technology areas.
In September 2002, the DEA documented a high-level description of its "as is," or current, EA using DEA personnel who were assisted by a contractor. The development of the current EA is required to achieve Stage 3 of the EA Management Framework. The high-level current EA provided the DEA with descriptions of its business processes, applications used to carry them out, data used in accomplishing them, technology used in implementing them, and stakeholders affected by them.
However, the high-level "as is" EA lacked the detail necessary for the DEA to progress to a "to be," or target architecture. In April 2004, the contractor added the necessary detail, and the DEA accepted the product after reviewing it to ensure consistency with the Federal Enterprise Architecture Framework.
To attain Stage 3 maturity, the DEA must establish a written and approved policy for EA development, implementation, and maintenance, and ensure that EA products undergo configuration management. In addition, the DEA must ensure that the target architecture addresses security as outlined in the EA program plan.
To attain Stage 4 and 5 levels of maturity as described by EA Management Framework, the DEA must complete and begin implementing the EA. To build on its accomplishments, the DEA needs to press forward with completing its target architecture and transition plan. Without those plans, the DEA cannot ensure that technology proposals will meet future IT requirements.
We recommend that the DEA:
To implement the five stages of the ITIM process, the DEA must also complete five core elements for each critical process listed below. The five core elements are: 1) purpose, 2) organizational commitment, 3) prerequisites, 4) activities, and 5) evidence of performance. With the exception of the "purpose" core element, each of the other core elements also contain key practices, which are the attributes and activities that contribute most to the effective implementation and institutionalization of a critical process.23
Stage 1. To complete this stage, the DEA needs to create investment awareness, using the following critical process: using a disciplined investment process for IT spending. The DEA has created an IT investment awareness within the agency.
Stage 2. The second stage - building the investment foundation needs - consists of the following critical processes within the ITIM Framework: instituting the investment board, meeting business needs, selecting an investment, providing investment oversight, and capturing investment information. The DEA has completed the stage entirely.
Stage 3. Developing a complete investment portfolio is the objective of this stage. Critical processes include: defining the portfolio criteria, creating the portfolio, evaluating the portfolio, and conducting post- implementation reviews. The DEA has made progress in completing this stage.
Stage 4. This stage consists of improving the investment process and uses the following critical processes: improve the portfolio's performance and manage the succession of information systems. As the DEA's selection and control processes mature, the DEA will begin focusing on improving the established evaluation processes for this stage.
Stage 5. Leveraging IT for strategic outcomes is the final stage in the ITIM maturity process. The critical processes for this stage are: optimizing the investment process and using IT to drive strategic business change. The DEA will attain Stage 5 maturity when its selection, control, and evaluation processes operate together to produce IT outcomes. The status of the DEA's ITIM stages follows.
The DEA has attained a basic ITIM capability (Stage-2 maturity) to establish the foundation for effective and replicable IT project-level investment selection and control processes. Selection processes ensure that the DEA has an effective methodology for approving only those IT projects that are consistent with its needs and goals. Effective control processes ensure that deviations from cost and schedule baselines can be identified quickly.
Critical Process #1: Instituting the Investment Boards
According to the ITIM Framework, the purpose of investment boards is to ensure that basic policies for selecting, controlling, and evaluating IT investments are developed, institutionalized, and consistently followed throughout the organization. Depending on its size, structure, and culture, an organization may have more than one IT investment review board. The organization may choose to make the same board responsible for executive guidance and support for the EA. Such an overlap of responsibilities may enhance the ability of the boards to ensure that investment decisions are consistent with the EA and that the EA reflects the needs of the organization.
In establishing three agencywide IT Investment Boards - the Executive Review Board, the Business Council, and the Compliance Council - the DEA implemented the following key practices as stated in the ITIM Framework:
Investment Boards. The DEA has established three IT investment boards: 1) the Executive Review Board, 2) the Business Council, and 3) the Compliance Council. These three boards are also responsible for executive guidance and support for the EA. The boards' EA responsibilities are discussed in detail in Finding 1 of this report.
The Executive Review Board's primary responsibility is to provide leadership to enable the implementation of a managed information technology, capital planning, and investment control process. The Executive Review Board also recommends the continuation, modification, or termination of funding for IT projects. The DEA's Chief Information Officer and Chief Financial Officer jointly chair the Executive Review Board. Additional members of the board include three DEA Assistant Administrators, the Chief Counsel, the Chief Inspector, the Chief of the Office of Congressional and Public Affairs, and two Special Agents in Charge.24
The Business Council's primary responsibility is to ensure that recommended projects and investments are consistent with the DEA mission, strategic plan, capital planning goals, EA, and security policy. Business Council members function as working-level experts for the ITIM process by providing business expertise specific to the business units that each member represents. The Deputy Assistant Administrator of the Office of Information Systems chairs the Business Council, and the members are GS-15 level staff members from every organizational unit within the DEA.
The Compliance Council is responsible for evaluating IT investments to ensure compliance with legislative regulations and DEA policy. The Chief of the Strategic Business Analysis Group, Office of Information Systems, chairs the Compliance Council. The Compliance Council's members include individuals whose day-to-day responsibilities involve a compliance area. The members of the Compliance Council work to ensure compliance with such areas as the Federal Enterprise Architecture, the Government Performance and Results Act, and the Government Information Security Reform Act.
IT Investment Process. The DEA's IT Investment Process Guide and Transition Plan (Investment Guide), dated December 2001, documents the agency's IT investment process. The Investment Plan contains all the elements prescribed by the ITIM Framework including:
Adequate Resources. According to the ITIM Framework, executive management is typically responsible for creating investment boards, defining their scope and resources, and specifying their membership. Establishing an investment management working group can benefit both the investment boards and IT project managers by coordinating requests for information providing responses.
The Chief of the DEA's Strategic Business Analysis Section told us that the DEA has secured the necessary resources, including staff and funding, to support the operations of the three investment boards. Top management support for the operation of the investment boards is demonstrated by the assignment of senior DEA personnel to the Executive Review Board and the Business Council. In addition, the DEA has established an ITIM Management Group within the Strategic Business Analysis Section of the Office of Information Systems. The Management Group provides support, advice, and guidance on carrying out the ITIM process. The Management Group facilitates access to IT experts. The Management Group operates as an investment management center staffed with DEA and contractor personnel. The Management Group is responsible for providing the DEA Administrator, CIO, CFO, and senior leadership with the necessary analytical and project management information for making key budget, financial, and program management decisions affecting the future use of IT in the DEA. The Management Group is also responsible for overseeing the movement of investment proposals through the ITIM process, including providing assistance to project managers.
Competence. According to the ITIM Framework, to ensure the success of an IT investment program, members of investment boards should be familiar with the boards' policies and procedures and be capable of carrying out their responsibilities competently. Training should be provided for members who have had little or no investment decision-making experience or relevant education. For example, training could be provided in economic evaluation techniques, capital budgeting methods, performance measurement strategies, and risk management approaches.
As described in a DEA self-assessment, the members of the three investment boards are qualified to make strategic decisions regarding IT investments.25 The DEA's CIO, who is responsible for establishing the IT investment process, chairs the Executive Review Board. The CIO has extensive experience in IT management. Additionally, the Business Council members are key line managers who are knowledgeable about business requirements in their respective areas of responsibility.
Further, the Management Group assists project and program managers in preparing clear, concise summaries of their investment proposals for presentation to the Business Council. According to the Chief of the Strategic Business Analysis Section, for major investments, the Management Group provides guidance on scoring various investment elements and instructs the Business Council on how to complete a scoring worksheet.26
The Chief of the Strategic Business Analysis Section told us that the DEA recognizes the importance of periodic training for board members and program managers. For example, in April 2003 before the FY 2005 budget cycle, the DEA CIO issued a memorandum encouraging the executive staff and anyone involved with IT investments to attend one of two training seminars taught by an OMB IT investment expert. The training focused on the IT capital planning process and the development of IT business cases as presented in the OMB Exhibit 300, which shows the proposed cost, schedule, and performance goals for the investment.
Additionally, the DEA partnered with the Department's Office of the Chief Information Officer (OCIO) to arrange another training session on IT investments in May 2003. The training focused on obtaining a five score in the OMB scoring of Exhibit 300 investments.27
The DEA obtained the highest score of 5 for 2 of the 11 IT investment proposals scored by the OMB. Further, 5 of the 11 IT investment proposals obtained a score of 4. An OCIO budget analyst told us that the two perfect scores were the only perfect scores for the Department in the FY 2005 budget cycle.
Avoiding Duplication or Gaps. According to the ITIM Framework, the existence of multiple boards to govern the agency's IT investment process requires that criteria governing the boards' authorities and responsibilities be defined in such a way that there are neither overlaps nor gaps in the assigned authorities and responsibilities. The criteria governing the boards' authorities and responsibilities can be based on: cost, benefit, schedule, and risk thresholds; the number of users affected; the function of the business unit; the lifecycle phase of an IT investment; or other comparable and useful measures.
To ensure that no overlaps or gaps exist within the scope of the boards' authorities and responsibilities, the DEA has created a hierarchical approach to the operation of the investment boards. Before the boards become involved in the ITIM process, the Management Group works closely with the project and program managers to ensure the completeness of the IT investment proposals and to monitor the performance of the investments after funding. The proposals are forwarded to the Business Council for review and scoring based on the DEA mission and goals. Based on the results of the Business Council's review, recommendations are made to the Executive Review Board on the IT projects for which funding has been requested. The Executive Review Board evaluates the recommendations to ensure that the DEA's mission and goals are being met through the proposed investment and then makes final recommendations to the DEA Administrator. In reviewing the boards' minutes we noted that the boards discussed and scored proposals and made recommendations.
Oversight Responsibilities. According to the ITIM Framework, the agencywide IT investment boards should be responsible for developing an agency-specific IT investment guide to ensure that technological resources are linked to the agency's mission and IT strategic plan. The boards' work processes and decision-making processes are described and documented in the guidance. Additionally, after the guidance has been developed, the investment boards must actively maintain the guidance, making sure that it reflects the current structure and processes used to manage the selection, control, and evaluation of the organization's IT investments.
The DEA documented its IT investment processes in its December 2001 Investment Guide. Since the investment boards were not in existence at the time, the DEA formed a temporary working group consisting of representatives at the management and executive levels to develop the Investment Guide. The Executive Review Board's charter states that the Executive Review Board must approve all changes to the Investment Guide. Due to the importance of the Investment Guide to the ITIM process, the mandatory approval of any changes to the Investment Guide demonstrates one of the Executive Review Board's key oversight responsibilities.
Controls. According to the ITIM Framework, establishing effective controls helps ensure that management will carry out IT investment boards' decisions. Without management controls, decisions made by investment boards might not be implemented because of conflicting priorities of the boards' members. To ensure the effectiveness of management controls, the relationship between upper management and the investment boards must be documented and agreed to by both parties. The investment boards must have the confidence of upper management when deciding on new proposals and funding for ongoing projects.
The DEA Investment Guide identifies the key DEA players in the ITIM process as follows: the Administrator, CIO, CFO, other senior executives who sit on both the Business Council and the Executive Review Board, and the Management Group. By including such high-ranking officials as the key players to manage the ITIM process, the DEA has, in essence, established controls and oversight to ensure that the boards' decisions are carried out. Because the investment boards have been in operation for only one cycle of the select phase, we were unable to evaluate the boards' effectiveness.
Critical Process #2: Identifying Business Needs for IT Projects
According to the ITIM Framework, an agency needs to develop a process to identify the business needs supported by the proposed IT investment. IT projects and systems should be closely aligned with the business needs of the agency to support the highly visible core business processes. To the extent that an agency has planning documents - such as a strategic plan or target architecture - these documents should be used as a source of agreed-upon business needs.
The identification of business needs is important to ensure that IT projects and systems support the agency's strategic plan objectives and business goals and objectives. In addition, the agency's investment management process is strengthened and institutionalized by linking the agency's business objectives to its IT strategy and establishing a partnership between the sponsoring unit and the provider of the technology.
To ensure that business needs are identified for IT projects, the DEA implemented the following key practices in accordance with the ITIM Framework:
Policies and Procedures. The ITIM Framework states that an agency should have policies and procedures that outline a systematic process for identifying, classifying, and organizing its business needs and the IT projects that support these needs. In many cases, the policies and procedures can be covered in the internal guidance used for documenting the business case for a proposed IT investment.
In its Investment Guide, the DEA has documented its process for identifying business needs for proposed IT investments. According to the Guide, program managers submit proposals to the Business Council and the Executive Review Board for consideration. Each IT proposal must identify which business need is served by the proposed IT project. The proposal must also state tangible and measurable mission benefits. The DEA has standardized the presentation of an IT proposal to the Business Council by creating a template that must be used by program managers, and also has incorporated the identification of the business needs that are to be supported by the IT proposal as one of the categories within the template.
Further, after the Business Council and the Executive Review Board review the proposal and make a determination to pursue the proposal, the project manager prepares the OMB Exhibit 300. In preparing the Exhibit 300, the project manager must also identify the business needs being met by the proposal. In standardizing the proposal presentation and in completing the Exhibit 300, the DEA has helped ensure that the business needs for each IT proposal will be identified.
Business Mission. According to the ITIM Framework, the business mission, containing the agency's stated goals and objectives, is typically identified in the agency's Strategic Plan.
The DEA incorporated its general business mission into the IT strategic plan, and according to that plan the DEA's IT mission is to strengthen the IT environment to meet future challenges for drug enforcement, terrorism, and electronic government. To accomplish its IT mission, the DEA will modernize obsolete infrastructure platforms, expand secure information sharing capabilities, re-engineer business processes, and implement management practices that better support IT management.
Identifying Business Needs. To demonstrate managerial attention to the process of ensuring that business needs are identified for each project, the DEA has tasked the Office of Information Systems with the responsibility to ensure that IT projects and systems identify the organization's business needs. Each unit within the office has a manager and is staffed to support its respective function. In addition, the DEA hires contractors to help staff some of its units within the office. Further, the office periodically updates an inventory of systems to identify current IT projects, which states the system acronym, name, and description. The office also maps each system to a specific function. The office and the Property Custodian Assistants maintain the DEA's technical hardware inventory, which lists the component, hardware description, and software applications and licenses.
According to the DEA, the program managers are considered sponsors of IT investments because they are responsible for the submission of IT concept proposals to the Business Council. As sponsors, each program manager ensures IT investment compatibility with the general DEA IT mission.
The Management Group provides staff support to project managers during the concept proposal phase of an IT project. Specifically, this assistance seeks to link the business objectives of each IT proposal with the business needs of the organization. To support the process as outlined in the Investment Guide, the Management Group provides concept proposal and business plan training for program managers. The DEA also hosts Project Management Institute seminars to train program managers on how to identify business needs. Additionally, the DEA provides training in the Rational Unified Process tool, which provides project guidance to program managers. The Rational Unified Process is a flexible software development process program that enables an agency to provide consistent process guidance to a project management team. The DEA is using the Rational Unified Process in most organizational units to implement replicable and organized processes.
Documenting Business Needs. According to the ITIM Framework, each agency must ensure that its IT projects are directly or indirectly linked to at least one of the organization's business needs or mission goals. A direct link is of greater value than an indirect link. Identifying the business purpose, defining an executive sponsor of each project, or obtaining confirmation from users that the project meets their business needs can establish a direct link.
The business needs for both proposed and ongoing IT investments within the DEA are defined and documented in the OMB Exhibit 300 for each investment. The business plans submitted by the program managers contain goals for each project that map back to the goals listed in the DEA strategic plan.
The DEA Investment Guide states that the Business Council is to evaluate whether the proposal meets the agency's business needs. We reviewed minutes from the Business Council's meetings and determined that the Business Council ranks proposals according to how the proposal supports the business mission of the DEA. Even though the business purpose for each project is determined as part of the proposal phase of the project, ongoing investments undergo further evaluation during the annual budget process. The evaluation consists of: 1) the program manager submitting monthly reports to the Management Group for review and forwarding the reports to the appropriate boards for further review, and 2) the Business Council and the Executive Review Board reviewing the monthly reports to determine if the investment still supports mission-related functions.
Specific User Identification. The ITIM Framework states that IT projects may address the needs of multiple sets of end-users, who will benefit from the system. The agency should formally identify the primary end-users early on in the project. This process allows the IT staff to develop IT projects or systems focusing on specific, well-defined goals of delivering value to its end-users, who depend directly on the IT staff to produce systems that will help them accomplish their particular goals.
The DEA maintains a listing of all potential end-users for all IT projects and systems. This listing is also a part of the DEA EA. Additionally, during the "select" component of the capital planning and investment control process (discussed in the Background section of this report), end-users for each IT investment are identified in the Business Plan and the OMB Exhibit 300 for major IT investments.
End-users' Participation. The ITIM Framework points out that end-user involvement will vary during the different stages of a project's system life-cycle. During the project's conception, end-users should be heavily involved in developing the business case and in defining how the system will help to meet needs or opportunities. The end-user should be heavily involved during user acceptance testing. However, during other phases of development, the end-user should play a more limited role.
During the final phases of the system's life-cycle, especially the operational phase, the end-user should play a major role in helping to identify and document any benefits that are realized from the system's implementation. End-users are encouraged to participate in the operational analysis of the system, which should involve collecting information about the system's performance and comparing it with the initial performance baseline.
During the control phase, each project follows the DEA System-Development Life Cycle. The DEA uses the System- Development Life Cycle to ensure a uniform development process. During this phase, project managers prepare a Project Management Plan (PMP) for each IT investment. The PMP serves as an agreement between the end-user and the development team during the construction of the IT system. Specifically, PMPs outline:
The PMP also includes a work breakdown structure that establishes baseline deliverables and performance milestones. Additionally, the PMP milestones require program managers to provide documentation on project activities to the end-users as the project progresses through the System-Development Life Cycle. And the project's complexity dictates the amount of System-Development Life Cycle documentation required. The DEA utilizes the Rational Unified Process to track the project through the System-Development Life Cycle. The Rational Unified Process consists of four progress stages: 1) inception, 2) elaboration, 3) construction, and 4) transition. The DEA self-assessment states that the DEA uses a Field Advisory Council to determine if the product met end-user requirements within the field offices.28 The Field Advisory Council gathers and provides information to the Office of Information Systems on the development and deployment of technical infrastructure.
Investment Boards' Evaluation. During the investment boards' evaluation, the boards assess the anticipated outcomes of a project or system, and its value in relation to defined expectations. The boards also determine whether and how well the IT project or system is meeting the agency's expectations. After deployment, the DEA measures the system's ability to continually meet a business or user need.
Using historical data, system expectations, and other factors as criteria, the investment boards evaluate each IT project to determine its value to the agency. The review cycle includes an evaluation of project risks. Periodic evaluation of each IT project permits the investment boards to determine the ongoing value of each IT investment. These periodic evaluations are critical to determining whether or not to continue funding the IT project.
If an investment is found to be inconsistent with the organization's strategic goals and objectives, immediate action must be taken at the project level, with oversight provided by the investment boards, to realign the project or system. But even a successful system will eventually begin to provide diminishing returns as it becomes more expensive to maintain. In addition, changing business requirements also can make a system obsolete.
The evaluation phase of the DEA IT Process was not yet operational as of February 2004. Presently, the DEA is operating in the select phase of the IT process. According to the DEA Investment Guide, the evaluation phase of the ITIM process will be concerned with ensuring that each IT investment delivers expected results and mission benefits. When the evaluation phase is implemented, program managers will submit monthly reports to the ITIM Management Group, which will collect and maintain this information in an ongoing IT portfolio. The Business Council and the Executive Review Board will evaluate the investments contained within IT portfolio.
The Management Group Chief told us that the Business Council has initiated a review of current IT investments. The Chief added that individual project managers, in conjunction with their supervisors, perform an evaluative role regarding IT investments. Individual project managers have presented status reports about IT investments to the Business Council. Minutes of Business Council meetings showed that the Business Council ranked each investment and made recommendations to the Executive Review Board on project funding.
Critical Process #3: Selecting an Investment
According to the ITIM Framework, review or "reselection" of ongoing projects is a very important part of this critical process. If an IT project is not meeting the goals and objectives that were established in the original selection, the investment boards must make a decision on whether to continue to fund the project.
To satisfy this critical process, the DEA implemented the following key practices:
Policies and Procedures. According to the ITIM Framework, a structured method provides the organization's investment boards, business units, and IT developers with a common understanding of the process and cost, benefit, schedule, and risk criteria that will be used to select IT projects. Also, a documented selection process can help to ensure consistency when an organization is considering multiple investments for funding. Transparency in the process can help to create an environment that is objective, fair, and rational. Thus, potential investments will be judged solely on the merits of their contribution to the strategic goals of the organization without undue influence from outside the process.
The DEA has documented its IT investment selection criteria in the Investment Guide. A program manager prepares a concept proposal for review by the ITIM Management Group, which validates the concept proposal's format and provides a preliminary evaluation of the technical and business feasibility of the proposal. The concept proposal is then forwarded to the Business Council, which provides an independent review - in accordance with approved criteria - to ensure compliance with the DEA EA and to prevent duplication with ongoing development efforts. The criteria include evaluating risks, costs, and mission benefits based on the DEA's IT Strategic Plan and organizational priorities, consistency with the DEA EA, and compliance with security policy. The Business Council forwards its recommendations to the Executive Review Board, which evaluates and prioritizes the proposals to be forwarded to the DEA Administrator for approval and inclusion in the annual budgeting process.
During the budgeting process, the program managers prepare and submit OMB Exhibits 300, which include a feasibility study, project plan, and preliminary budget estimate. Each Exhibit 300 is reviewed and evaluated by the ITIM Management Group, Business Council, and Executive Review Board. The projects are compared and rated on a color scale of red, yellow, or green. Red-rated investments are not accepted. Yellow-rated investments have received a "concerned approval" that may require additional information and close monitoring. Green-rated investments signify approval.
The DEA ITIM Management Group forwards an approved portfolio of proposed investments to the Department's ITIM Management Group. The Department's ITIM Management Group then consolidates the portfolio with those from other Departmental components and submits them to the Department's Senior Management Council for decision, prior to forwarding the portfolio to OMB for review.
Further, the DEA uses the process described above to reselect ongoing IT investments. As noted above, the DEA has integrated the funding of investments into the selection process by allowing the selection process to occur simultaneously with the DEA annual budget process.
Adequate Resources. The ITIM Framework states that the resources for selecting IT projects typically involve:
As the concept proposal author, a program manager becomes the sponsor of the proposed investment. As the sponsor, the program manager is responsible for ensuring IT investment compatibility with the DEA IT Strategic Plan.
Regarding staff support of investments, the DEA has in place an ITIM Management Group, which is responsible for designing, implementing, and operating the DEA ITIM process, including the IT investment selection process. The ITIM Management Group manages the process by: 1) validating IT proposal completeness, 2) monitoring individual investment performance, and 3) supporting the Business Council and the Executive Review Board in evaluating the investments.
The DEA has described in its Investment Guide the tools, methods, and equipment to be used for selecting IT projects. The DEA uses standardized templates for the submission of IT proposals to the Business Council for review. The Business Council and the Executive Review Board use approved criteria to evaluate the IT proposals. The proposals are organized according to the ranking received from the Business Council and the Executive Review Board.
Pre-determined Criteria. According to the ITIM Framework, any decision-support process should be based on pre-determined criteria. In order to maintain consistency, the criteria should include quantitative or qualitative measures for comparing projects, based on such things as investment size, length of the project, technical difficulty, project risk, business impact, customer needs, cost-benefit analysis, organizational impact, and expected improvement. The results of the comparison help the investment boards analyze the potential risk and return on investment for a particular project and prioritize the portfolio using a scoring method that considers the strengths and weaknesses of each project.
The DEA ITIM Management Group has developed a scoring worksheet for use by the Business Council in evaluating each IT investment proposal based on relative factors. These factors include: 1) project management, including performance goals, risk management, security, and project planning and spending; 2) mission support and impact; and 3) appropriateness of funding. Program managers make presentations to the Business Council about the respective IT investments. During the presentation, the Business Council members complete scoring worksheets. The scoring worksheets are then combined, and the investments are prioritized based on the combined score that each investment received. The Business Council's scoring results are reported to the Executive Review Board, which makes the final investment decision. The DEA also uses the above criteria to reselect ongoing IT investments for continued funding.
Organizational Objectives. The ITIM Framework states that during project selection, decision-makers use various criteria to help assess a system's projected outcomes, resource allocations (e.g., people, funding, and tools), and benefits and costs. As organizational goals and objectives change and the criteria for selecting projects change with them, decision-makers need to have a management structure and tools in place to help reassess their decision criteria and the impact of those criteria on decisions, results, and outcomes.
The DEA's ITIM Management Group is responsible for developing and maintaining the agency's IT Strategic Plan, which is updated annually. In addition, the ITIM Management Group develops the scoring worksheet used by the Business Council to prioritize the IT investments. According to the DEA self-assessment, the ITIM Management Group updates the scoring worksheet each year to reflect any changes in the IT Strategic Plan. This is necessary because one criterion for prioritizing an IT investment is whether or not the investment supports the DEA's mission and goals.
Selection Process. An organization must not only have a project selection process documented but must also use the process. The ITIM Framework states that the selection process should occur within the context of the organization's cyclical budgeting process. A designated official should manage the data submission and the screening activities associated with the selection process.
The DEA has completed one selection cycle of the ITIM process and as of March 2004 was in the process of completing the second cycle for the FY 2006 budget year. We reviewed the minutes of the Business Council to determine if the DEA was actually using its prescribed selection process. According to the minutes, the program managers made presentations to the Business Council, which were ranked and prioritized based on how the projects met mission goals and objectives. The Business Council's decision was forwarded to the Executive Review Board for further evaluation and a funding recommendation.
Funding Decisions vs. Selection Decisions. According to the ITIM Framework, an organization's executives have discretion in making the final funding decisions on IT proposals. However, their decisions should be based on the analysis that has taken place during the selection process. Additionally, there should be evidence that some proposals are judged less meritorious than others and thus do not get funded as part of the decision-making process.
As stated earlier, the Business Council prioritizes the IT investment proposals based on its review and evaluation of each proposal. The Business Council recommendations are then sent to the Executive Review Board for further evaluation and recommendation to the DEA Administrator for funding. In a memorandum dated May 23, 2002, the DEA Administrator stated that all funding for DEA IT investments would be based on the Executive Review Board's decisions.
Conclusion. The DEA has completed the steps necessary to establish an IT investment selection process. The DEA has: 1) defined a method for selecting new IT projects and to reselect ongoing IT investments for funding, 2) documented a project selection process and is using it, and 3) laid the foundation to implement the mature critical processes for making IT proposals and selecting projects as described in Stage 3 of the ITIM Framework.
Critical Process #4: Providing Investment Oversight
The purpose of this critical process is to ensure that an organization provides effective oversight for its IT projects throughout all phases of a project's life cycle. While the investment boards should not micromanage each project, they should maintain adequate oversight and observe each project's performance and progress toward defined cost and schedule expectations. The investment boards should expect that each project development team will be responsible for meeting project milestones within the expected cost parameters that have been established by the project's business case and cost-benefit analysis.
To satisfy this critical process, the DEA must implement these key practices:
The DEA has implemented all five key practices.
Policies and Procedures. According to the ITIM Framework, an organization should establish policies and procedures for management oversight of IT projects. The policies and procedures should specify: 1) the criteria to be used by the investment boards when evaluating project performance, and 2) that corrective action be taken when the project deviates or varies significantly from the project management plan.
The DEA has documented procedures specifically covering software project tracking and oversight. These procedures were developed as part of the Capability Maturity Model (CMM) process improvement initiative.29 The procedures cover internal reviews by project managers, formal project management reviews, communication of commitments and changes to commitments, and senior management review of commitments and changes to commitments. The procedures are executed at the project level and operate within the ITIM process. They describe the roles of the project manager, development team, line management, and senior management within each process.
Project managers review the status of software projects with supervisors and customers to identify and resolve issues associated with the project. Project risks are identified for major IT investments and documented in OMB Exhibit 300. The Business Council and the Executive Review Board manage by exception and review only those projects that exhibit a 10-percent or greater cost or schedule variance as explained in OMB Circular A-11. The DEA coordinates application development projects and infrastructure projects to ensure that the infrastructure can support the development of new applications.
The DEA Investment Guide states that along with certain checkpoints in the System-Development Life Cycle, investments in the control phase are subject to periodic progress reviews to assess cost management, schedule variances, and realization of planned benefits. The scope and frequency of these reviews should be determined by the projects' cost, risk, and complexity. The information used for these reviews, such as expenditures and work completed, is collected monthly from the project manager.
Adequate Resources. The ITIM Framework states that an organization should provide the resources needed to oversee its IT projects and systems. These resources should include managers and staff who are assigned specific responsibilities for monitoring, and tools - such as project summary reports on schedule and cost - to support the investment boards' oversight operations.
The Management Group facilitates the ITIM process. The Management Group is staffed with a combination of government and contractor personnel providing the expertise necessary to ensure that investment boards are provided with sufficient information for executive level oversight. The Management Group prepares presentation templates for project managers, assists project managers in preparing materials for the ITIM boards, develops evaluation forms for the boards' members, prepares boards' minutes, and follows up on boards' action items.
In addition, the Management Group coordinates with the Quality Management Unit on evaluation tools for earned-value and project reporting metrics.30 The information generated from these evaluation tools is included in a status report for the ITIM boards' oversight activities. The DEA is also using Microsoft Project to present the standard work breakdown for each project. As the project plans are updated with actual completion dates and costs, this information is included in the earned-value management tool. The Quality Management Unit also captures other project-performance metrics, and reports the data to the ITIM Management Group for use with the investment boards' oversight processes.
Project Management Plans. The ITIM Framework states that each IT project management team should create and maintain a PMP for the project or system for which it is responsible. The PMP documents a variety of project decisions, assumptions, and expectations including project performance. Expectations could include a cost-and-schedule baseline-control system - such as the earned-value management system - milestone-based accomplishment expectations, or another control system depending on the project's size, importance, cost, and risk.
The DEA has required each project to have a PMP that documents the purpose, scope, and background of the project; the project organization; and the management and technical approach. The PMP also contains the project schedule and funding information. A number of supplemental exhibits are included with the PMP, such as project-sizing and documentation requirements, project questionnaires, staff roles and responsibilities, the work-breakdown schedule, primary points of contacts, and a system-risk matrix.
Major IT investment plans are also summarized and reported in the Exhibit 300. The Exhibit 300 captures cost, schedule, and performance data along with earned-value, project assumptions, and risks. Further, the DEA Investment Guide states that after a project's concept proposal is approved, a business case must be developed for further consideration. A business case consists of a project plan, feasibility study, cost-benefit analysis, and concept of operations. These documents are all part of the PMP.
Actual Performance Data. For an organization to establish control of projects in Stage 2 of the ITIM Management Framework, it is essential that all performance data, including cost, schedule, benefits, risks, and system functionality for each IT project, are collected and disseminated to the appropriate IT investment boards. In addition, to monitor the long-term value of a project or system, the organization needs to collect and distribute this information to the appropriate IT investment boards during agreed-upon stages of the project's life cycle.
Currently, the DEA uses its project managers to collect and distribute cost and schedule data for individual projects. This information is provided to the investment boards through presentations at board meetings. Additionally, the project performance data is also captured in the Exhibit 300. The DEA is in the process of assessing earned-value management tools, one of which is to be selected and implemented during FY 2004. When implemented, the earned-value tool will provide additional project metrics that will be reported to the ITIM boards by the ITIM Management Group.
Performance Reviews. The ITIM Framework states that investment boards should oversee the performance of IT projects by conducting reviews at predetermined checkpoints or major milestones in order to compare actual project costs and schedules with the proposal.
During the control phase of the ITIM process, investments are to be subject to periodic progress reviews to assess cost management, schedule variance, and realization of planned benefits. Based on the information collected during these reviews, the ITIM Management Group is to determine which projects are at risk, and then follows up on those projects to identify the problem and the solution.
DEA investment boards activities are evolving and will include more activities during the control phase in 2004. We reviewed the minutes of Business Council meetings in December 2003 and found that during the presentations for each project, program managers informed the Business Council of the status of their respective projects. As stated earlier, the investment boards conduct oversight responsibilities by exception, focusing on investments that show a 10-percent or greater variance in cost or schedule. The ITIM Management Group, in conjunction with the Quality Management Unit, collects and validates the information provided by project managers and presents the data to the investment boards for review.
Critical Process #5: Capturing Investment Information
During this critical process the organization identifies its IT assets and creates a comprehensive repository of investment information. This repository is used to track the organization's IT resources. For an organization to make good IT investment decisions, it must be able to acquire pertinent information about each investment and store that information in a retrievable format, to be used in making future investment decisions.
To complete this critical process, the DEA implemented three key practices:
Information Collection. The ITIM Framework suggests that a standard, documented procedure be used to ensure that developing and maintaining information on projects and systems is replicable and produces IT data that is timely, sufficient, complete, and comparable. The information may be prepared by the information systems support component of the organization and verified and validated by a designated official or another organizational unit.
The DEA Office of Information Systems inventories and accounts for the assets comprising the physical infrastructure, which includes workstations, servers, printers, storage devices, and telecommunication devices. The information collected includes the type of equipment and a unique identifier for the equipment, usually a barcode, acquisition date, deployment date, and location. The DEA similarly maintains a software inventory. These two inventories became the foundation of two of the four EA components. The physical infrastructure is documented in the Application Architecture, and the software inventory is documented in the Technical Architecture. In addition, the DEA's OMB Exhibit 53, IT Investment Portfolio, shows the prior-year, current-year, and budget-year costs for developing and maintaining IT projects.31
According to the DEA self-assessment, the physical inventory and the financial data collected on IT projects are used not only for the management of the assets but also in the project planning process. For example, the information collected about the physical infrastructure deployed to each DEA field division is necessary to determine when and where the deployment of a new application will take place, especially if the new application requires an updated physical infrastructure. Business Council minutes documented that the Council uses information collected about the IT projects and systems to make decisions on whether to select, continue, or terminate a project.
Information Accessibility. According to the ITIM Framework, a repository of information about the IT investments is of value only to the extent that decision-makers and stakeholders use the information. Knowledge of the information contained in the repository by staff and managers throughout the organization can help to avoid duplication of effort and facilitate the reconciling of overlapping resources. For example, a report generated from the information contained in the repository can be used to better manage the licensing of an organization's application software by showing individually licensed applications that may be candidates for group licensing.
The DEA makes the IT system and project inventories available to the investment boards as necessary to allow the boards to view proposed investments in the context of similar initiatives. The inventory of systems is also submitted to the Department's CIO as part of the IT budget formulation process. The inventory then becomes the basis for reporting the DEA IT portfolio on OMB Exhibit 53.
As stated earlier, the inventory and financial data for the IT projects are provided to the Business Council for its review and for making funding recommendations to the Executive Review Board. The Business Council then provides the funding recommendations, along with supporting documentation, to the Executive Review Board, which reviews and makes decisions about the DEA's IT portfolio.
Maintaining the Information Repository. According to the ITIM Framework, informed investment decisions require up-to-date information. Maintaining the integrity of the information repository is important to ensure that the repository remains a useful decision-making tool. As projects and systems change through additions, updates, or deletions, the status of the projects and systems should be documented in the repository. An individual or organizational unit should be designated to maintain the repository.
According to the DEA's self-assessment, the IT inventory maintained as part of the DEA EA is crucial to future investment decisions. The knowledge of current assets - including capabilities, limitations, and expected lifespan - is an important part of any decision that affects the DEA investment portfolio. The ITIM Management Group is responsible for periodically updating the inventory based on DEA decisions about the agency's infrastructure and software configuration.
Our review of the DEA PMP determined that the DEA includes a change-control page to track all changes made to the project. We also found that the DEA Investment Guide requires that during the control phase, investments are subject to periodic progress reviews to assess cost management, schedule variance, and the realization of planned benefits.
ITIM Stage 2 Summary
The DEA has completed the ITIM Framework's critical processes necessary to build an IT investment foundation. The critical processes include: 1) establishment of investment boards, 2) identification of business needs for IT projects, 3) IT investment selection, 4) IT project oversight, and 5) IT system and project identification and tracking.
Stage 3 of the ITIM Framework focuses on the investment boards' enhancement of the ITIM process by developing a complete investment portfolio. According to the ITIM Framework, having a portfolio perspective enables an organization to consider its investments in a comprehensive manner. The portfolio perspective to IT investing is important in that it allows the investment boards to select investments that address not only the strategic goals, objectives, and mission of the organization, but also the effect that projects have on each other. To develop an IT investment portfolio, an organization combines all its IT assets, resources, and investments - considering new proposals along with previously funded investments - and identifying the appropriate mix of IT investments that best meets its mission, organizational, and technology needs, and priorities for improvements.
Stage 3 maturity requires the accomplishment of four critical processes; the DEA has not yet completed them. To attain Stage 3 maturity, the DEA needs to implement 27 key practices within the 4 critical processes. We found that as of February 2004, the DEA had completed 9 of the 27 key practices. However, the DEA has not completed all the key practices within any of the critical processes.
Critical Process #1: Defining the Portfolio Criteria
According to the ITIM Framework, portfolio selection criteria are a necessary part of an IT investment management process. Developing an IT investment portfolio involves defining appropriate IT investment cost, benefit, schedule, and risk criteria to ensure that the organization's strategic goals, objectives, and mission will be satisfied by the selected investments. Portfolio selection criteria reflect the strategic and enterprise-wide focus of the organization and build on the criteria that are used to select individual IT projects. The ITIM Framework states that IT projects are sometimes selected on the basis of an isolated business need, the type and availability of funds, or the receptivity of management to a project proposal. The portfolio selection criteria should be applied as uniformly as possible throughout the organization to ensure that decision-making is consistent and the processes become institutionalized. When an organization's mission or business needs and strategies change, the criteria should be re-examined.
To ensure that the IT investment portfolio criteria are defined, the DEA implemented the following key practices in accordance with the ITIM Framework:
Policies and Procedures. The DEA uses DOJ Order 2880.1A and OMB Circular A-11 as the criteria for its IT portfolio selection. The Order and the Circular emphasize project performance and value added to the agency. DOJ Order 2880.1A provides criteria for selecting major IT investments and defines a major investment as any one that the Department's CIO determines requires special management attention because of its importance to an agency mission, political sensitivity, and high development and maintenance costs, regardless of whether such work is performed by government employees or contracted out. According to the Department's CIO, for an investment to be considered a major IT investment it must meet one of the following criteria:
OMB Circular A-11, Section 300, defines a major investment as one of the following: a system or investment that requires special management attention because of its importance to an agency's mission, an investment that is directly linked to the top two layers of the Federal Enterprise Architecture (Services to Citizens and Mode of Delivery), or an investment that is an integral part of an agency's EA. All major investments are reported on Exhibit 53, which becomes one source, along with the EA and physical infrastructure, for the agency's investment portfolio. The use of DOJ Order 2880.1A and OMB Circular A-11 meet the ITIM Framework requirements for a portfolio selection criteria.
Criteria Development Responsibility. The ITIM Framework states that an individual or working group should be assigned the responsibility of developing IT portfolio selection criteria and for modifying the criteria as necessary. Individuals who are assigned the task of developing and modifying the criteria should have a working knowledge of investment management. Developing the right criteria with which to analyze a portfolio of projects is a critical component of making sound investment decisions.
The DEA ITIM Management Group is responsible for interpreting the above-mentioned criteria and facilitating the application of it. The criteria are documented in the DEA Investment Guide and incorporated in the scoring sheets used by the Business Council to rank the proposed investments. The DEA is ensuring that the Business Council uses the correct criteria for selecting portfolio investments by incorporating the criteria into the scoring sheets.
Portfolio Selection Criteria. According to the ITIM Framework, the criteria for selecting portfolio investments should be linked directly to the organization's broader mission, goals, strategies, and priorities. This ensures that the selected IT investments will support the larger organizational purposes. The Framework points out that the criteria should also take into account the organization's EA to: 1) avoid unwarranted overlap across investments, 2) ensure maximum system interoperability, and 3) increase the assurance that investments are consistent with the IT strategy as captured in the EA.
The selection criteria used for assessing and ranking individual investments and proposals should generally include four essential investment elements: cost, benefit, schedule, and risk. The assessment may also include other criteria to aid in evaluating relationships among investments. Organizations typically focus on these four elements and develop multiple measures under each broad element.
As stated earlier, the DEA uses DOJ Order 2880.1A and OMB Circular A-11, Section 300, as criteria for selecting portfolio investments. In addition, the DEA has established investment selection criteria within the DEA Investment Guide, which defines the core selection criteria that are based on DEA missions, goals, strategies, and priorities. The charters of the Executive Review Board and the Business Council reiterate these core criteria. The Executive Review Board's charter also grants authority to the Executive Review Board to approve changes to the DEA's ITIM process.
The Executive Review Board evaluates funding proposals based on uniform criteria to ensure that all investments meet at least minimum requirements. These criteria include evaluating risk, cost, and mission benefits. As stated previously in the Stage 2 section of this finding, the projects are compared against each other in a portfolio setting and rated on a color scale.
The Business Council's scoring sheet includes the following criteria for evaluating projects: performance goals, risk management, security, project planning and spending, mission support and impact, and cost. The scoring sheet covers the selection criteria elements as outlined in the ITIM Framework and the DEA Investment Guide. The DEA first used this scoring sheet to rank proposed IT investments in 2003 as part of the FY 2005 budget formulation process.
Selection Criteria Awareness. The ITIM Framework states that the criteria for selecting portfolio investments should be disseminated to each IT investment board and IT project managers, organizational planners, and any other interested parties. The selection criteria should be clearly addressed in funding submissions for IT projects.
The DEA program managers use a standardized template to complete the investment proposals. The selection criteria are embedded within the template to ensure that the program managers are not only aware of the criteria but also address them. Again, the Business Council's scoring worksheet used to rank all investments also contains the selection criteria. The Exhibit 300 prepared by the program managers also includes financial data, security, agency mission and strategic goals, and risk assessments.
Our review of the minutes of a December 2003 Business Council meeting showed that all 19 IT investment proposals were presented using the standardized template. For the FY 2005 budgetary process, the DEA prepared 15 Exhibits 300 for new and ongoing IT investments. Because the project managers used the standardized template to submit project proposals, and the investment boards used both the Exhibits 300 and the scoring sheet to rank projects, we conclude that both project management personnel and the investment boards are aware of the portfolio selection criteria.
Selection Criteria Review. The criteria for selecting IT investments may be changed based on: 1) historical experience; 2) changes in the organization's strategic direction, business goals, or priorities; or 3) other factors, such as increased IT management capabilities or technological changes. Ultimately, however, the task of modifying the criteria will be based on the experience and judgment of the enterprise-wide investment boards.
According to the DEA self-assessment, the DEA Business Council uses its experience to rank investments within the framework of the portfolio selection criteria summarized in the scoring worksheet. The Executive Review Board has the authority to recommend and approve changes to the ITIM process, which includes the portfolio selection criteria. The Business Council has been in operation for only one budget cycle, and there have been no modifications to the criteria. The Chief of the ITIM Management Group told us that the DEA would begin implementing the control phase of the ITIM process in 2004.
Critical Process #2: Creating the Portfolio
The development of the IT investment portfolio is an ongoing process that includes decision-making, prioritization, review, realignment, and reprioritization of projects that are competing for resources and funding. The process for creating the portfolios should ensure that each IT investment board manages investments according to an organizational, strategic-planning perspective. The boards should collectively analyze and compare all investments and proposals to select those that best fit with the strategic business direction, needs, and priorities of the entire organization.
To implement the critical process of creating an IT investment portfolio, the DEA must establish six key practices. The DEA has completed two of the six key practices:
Policies, Procedures, and Processes. According to the ITIM Framework, each IT investment board should have policies and procedures in place to help it select the most promising proposals and to ensure that the most feasible investments are considered. These policies should include specific screening criteria to help identify and expedite the selections.
The DEA has documented the processes for selecting an investment portfolio in its DEA Investment Guide, which provides policies and procedures that supplement and support guidance from DOJ Order 2880.1A and OMB Circular A-11 regarding investment analysis. The Investment Guide contains detailed processes for analyzing, selecting and maintaining the investment portfolio. In addition, the DEA requires program managers to develop an Exhibit 300, as explained in OMB Circular A-11, for all projects to be submitted for final funding approval. The Exhibit 300 includes a description of the project and a justification describing the costs, project management, schedule, and risks.
Board Members' Knowledge. As stated previously, the DEA included the criteria within a scoring sheet format to be used by the Business Council in reviewing and selecting portfolio investments. In doing this, the DEA has ensured that the investment board is knowledgeable of the criteria to be used in selecting portfolio investments.
Uncompleted Key Practices. The DEA is working on, but has not yet implemented, the following four key practices:
As stated before, the DEA has detailed procedures for selecting, controlling, and evaluating portfolio investments. Through our review of the supporting documentation given to us by the DEA and minutes of the Business Council's meetings, we conclude that the DEA is operating according to the procedures outlined for the selection of investments. However, because the Business Council has only been in operation for one budgetary cycle, we were unable to determine if the "control" and "evaluate" procedures have been implemented. The Chief of the Strategic Business and Analysis Management Group told us that the DEA would implement the control phase of the ITIM process during 2004.
We also found that the DEA has taken steps to ensure that information used to select, control, and evaluate the portfolio is captured and maintained for future reference. The DEA maintains the minutes and action items from investment board meetings electronically for retrieval at a later date. The DEA also uses an Information Technology Investment Portfolio System (ITIPS), which tracks the planning, acquisition, and operations of Automated Information Systems and IT investments. The ITIPS also complies with federal requirements such as the Government Performance and Results Act, the Paperwork Reduction Act, and the Clinger-Cohen Act. According to the DEA self-assessment, the DEA is assessing other tools to better capture the required information about IT investments.
The DEA's ability to effectively capture investment information on past and present IT decisions can translate into better decisions on IT investments during control phase activities, as well as during the evaluation and selection processes. As stated previously, without an effective system to capture IT investment information, the DEA may base IT decisions more on judgment, intuition, and partial data than on objective, systematic, IT-related information that is routinely collected and analyzed. The ITIM Framework states that IT information systems that deliver information that is up-to-date, encompassing, and presented in a useful format will enhance the decision process.
Critical Processes #3 and #4: Evaluating the Portfolio and Conducting Post Implementation Reviews
The two remaining critical processes within Stage 3 of the ITIM Framework involve evaluating the investment portfolio and performing post-implementation reviews on it. The DEA had not yet completed those critical processes as of February 2004.
As stated previously, the DEA has procedures in place for evaluating investments within the portfolio. However, no work has been done to evaluate those investments. Although the DEA's ITIM process has been in operation for two fiscal years and one budgetary cycle, the agency has not yet advanced into the evaluation phase of the ITIM Framework. The DEA self-assessment stated that the DEA is beginning to implement a 10-percent threshold for cost and schedule variance to guide in evaluating IT portfolio performance.
To streamline the Business Council and the Executive Review Board's access to current information on the status of DEA IT investments, the DEA is working to implement the DOJ/CIO Dashboard to provide information on the status of IT projects.32 Once implemented, the Business Council, the Executive Review Board, and project managers may use the Dashboard to gain a quick reference to determine the cost, schedule, and risks for investments contained in the DEA IT portfolio.
In addition, the DEA has not provided formal training for investment boards members to ensure that boards' members are familiar with portfolio evaluation and improvement procedures. As stated previously, at the beginning of the meeting the DEA ITIM Management Group outlines for the Business Council the process to be used for IT investment review. In our judgment, a formal training session would enable the investment boards to become more familiar with the ranking categories and to understand what each category entails and how each category is important to the evaluation of each IT investment.
ITIM Stage 3 Summary
The DEA has completed 9 of 27 key practices necessary to attain Stage 3 maturity of the ITIM Framework. The agency has defined the policies and procedures to be used in the portfolio selection process, established responsibility for criteria development, and has made the investment boards aware of the established criteria. However, the DEA has not yet: 1) obtained and utilized a system to effectively capture investment information for projects, or 2) provided training to investment boards members on the evaluation criteria for IT investments.
According to the ITIM Framework, the primary focus of Stage 4 is to improve the overall performance of an agency's IT portfolio. To attain the Stage 4 level of maturity, an agency must implement two critical processes: 1) evaluate the performance of the portfolio and use the information gained from the evaluation to improve both current IT investment processes and the future performance of the investment portfolio, and 2) manage the succession of information systems by replacing low-value systems with higher-value systems.
The ITIM Framework states that an agency should know how well investments in information management and technology are contributing to improvements in mission performance. Improving the portfolio's performance is, at the level of the investment portfolio, the equivalent of Stage 3's post-implementation reviews for an investment. At Stage 4, an agency determines how well a portfolio of IT investments is: 1) helping to achieve the strategic needs of the enterprise, 2) satisfying the needs of business units and users with IT products and services, and 3) improving IT business performance for users and for the enterprise as a whole. To make these determinations, an agency's entire portfolio of investments should be compiled and analyzed, and investment trends examined. To perform the analysis of the entire portfolio, an agency may use the information compiled from the post-implementation reviews, the IT investment boards' experiences, and the results to date for major investments.
Also at Stage 4, the agency enhances its ability to forecast, plan, and manage the migration to new system investments. At this stage, the target EA and transition plan can be useful guides in evaluating which investments should be phased out and which ones the agency should retain. According to the ITIM Framework, Stage 4 maturity is significant because some IT investments can outlive their usefulness and yet consume resources that outweigh the IT investments' benefits to the agency.
The DEA stated in its self-assessment that it has not yet implemented any of the key practices for Stage 4 maturity. In addition, in order for the DEA to consider Stage 4 maturity it must implement all key practices in Stage 3.
According to the ITIM Framework, at Stage 5 an agency is using its IT investment capabilities both to anticipate the effects of next-generation information technologies and to significantly drive strategic business transformation. As an agency's capability to run effective management processes to constantly select, control, and evaluate IT investments matures, the agency can more effectively examine how best to institute major business transformations to better achieve its missions. These major business transformations will include fundamental changes to how the agency applies new information technologies to support changes in customer interaction and service delivery processes.
For the DEA to attain Stage 5 maturity it must: 1) attain Stage 4 maturity by implementing all key practices within Stages 3 and 4, 2) optimize the investment process by ensuring that best practices of other organizations are captured and incorporated into the DEA's IT investment process, and 3) use IT to strategically transform work processes and explore new and more effective ways of executing the DEA's mission.
The DEA is making progress toward implementing a process to effectively manage its IT investments. The DEA has attained Stage 2 of the five maturity stages outlined in the ITIM Framework by: 1) establishing IT investment boards and defining the membership, guiding policies, operations, roles responsibilities, and authorities for each board; 2) developing business cases that identify key executive sponsors and business customers or end-users and the business needs that the IT project will support; 3) defining a process that is used to select new IT project proposals and reselect ongoing projects; 4) providing investment oversight by monitoring projects regarding cost and schedule expectations as well as anticipated benefits and risk; and 5) capturing the investment information necessary for executive decision-makers to make informed decisions about the DEA's IT investments.
The DEA has made progress toward attaining Stage 3 maturity of the ITIM Framework, by completing 9 of the 27 necessary key practices. Specifically, the DEA has defined the policies and procedures to be used in the portfolio selection process, established responsibility for criteria development, and has made the investment boards aware of the established criteria. To attain Stage 3 maturity, the DEA must: 1) obtain and utilize a system to effectively capture investment information for projects, and 2) provide training to investment boards' members on the evaluation criteria for IT investments.
To attain Stage 4 and 5 maturity as described by the ITIM Framework, the DEA must: 1) evaluate the performance of the portfolio and use the information gained from the evaluation to improve both current IT investment processes and the future performance of the investment portfolio, 2) manage the succession of information systems by replacing low-value systems with higher-value systems, 3) optimize the investment process by ensuring that best practices of other organizations are captured and incorporated within the DEA's IT investment process, and 4) use IT to strategically transform work processes and explore new and more effective ways of executing the DEA's mission.
We recommend that the DEA: