Veterans Affairs: The Role of the Chief Information Officer in	 
Effectively Managing Information Technology (20-OCT-05, 	 
GAO-06-201T).							 
                                                                 
In carrying out its mission of serving the nation's veterans and 
their dependents, the Department of Veterans Affairs (VA) relies 
extensively on information technology (IT), for which it is	 
requesting about $2.1 billion in fiscal year 2006. VA's vision is
to integrate its IT resources and streamline interactions with	 
customers, so that it can provide services and information to	 
veterans more quickly and effectively. Fully exploiting the	 
potential of IT to improve performance is a challenging goal for 
VA, as it is throughout government. The Clinger-Cohen Act of 1996
addressed this challenge by, among other things, establishing the
position of chief information officer (CIO) to serve as the focal
point for information and technology management within		 
departments and agencies. As agreed with Congress, GAO will	 
discuss the role of CIOs in the federal government and in the	 
private sector, as well as provide a historical perspective on	 
the roles and responsibilities of VA's CIO. In developing this	 
testimony, GAO relied on its previous work at VA and on the CIO  
role, including a 2004 review of CIOs at major departments and	 
agencies and a 2005 review of CIOs at leading private-sector	 
organizations.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-201T					        
    ACCNO:   A39917						        
  TITLE:     Veterans Affairs: The Role of the Chief Information      
Officer in Effectively Managing Information Technology		 
     DATE:   10/20/2005 
  SUBJECT:   Agency missions					 
	     Chief information officers 			 
	     Comparative analysis				 
	     Customer service					 
	     Information management				 
	     Information resources management			 
	     Information technology				 
	     Performance measures				 
	     Private sector					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-201T

     

     * PDF5-Ordering Information.pdf
          * Order by Mail or Phone

                 United States Government Accountability Office

Testimony

GAO

             Before the Committee on Veterans' Affairs, U.S. Senate

For Release on Delivery VETERANS AFFAIRS                                   
Expected at 10 a.m. EDT 
October 20, 2005        
                           The Role of the Chief                              
                           Information Officer in                             
                           Effectively Managing Information Technology        
                           Statement of Linda D. Koontz, Director Information 
                           Management Issues                                  

GAO-06-201T

VETERANS AFFAIRS

The Role of the Chief Information Officer in Effectively Managing
Information Technology

  What GAO Found

In the federal government and in the private sector, the responsibilities
and challenges of CIOs are largely similar. In most management areas, the
federal and private-sector organizations reviewed showed little difference
in the percentage of CIOs who had or shared a particular responsibility
(see figure). The challenges cited by private-sector CIOs were also
similar to those of federal CIOs: both groups cited improving IT
management processes, developing IT leadership and skills, working with
enterprise architectures, and ensuring the security of systems.

Over time, VA has increased its attention to the CIO position and to
information and technology management. After several years with CIOs whose
primary duty was not information and technology management or who were
serving in an acting capacity, the department appointed a full-time
permanent CIO in August 2001. VA also recognized that its decentralized
computing environment presented challenges, with a large proportion of the
department's IT budget controlled by its administrations and staff
offices. As a result, in 2002, the department proposed a realignment to
strengthen the department-level CIO position and centralize IT management
under this official. GAO has not reviewed the current status of this
proposed realignment or VA's current organizational structure, but its
view is that the realignment held promise for improving accountability and
helping to accomplish VA's mission by increasing the CIO's oversight over
IT management and spending.

Comparison of the Extent to Which Private-Sector and Federal CIOs Are
Responsible for Management Areas

                 United States Government Accountability Office

                                Results in Brief

Mr. Chairman and Members of the Committee:

Thank you for inviting us to take part in your discussion of the
information technology organization at the Department of Veterans Affairs
(VA) and the role of the Chief Information Officer (CIO). In carrying out
its mission of serving our nation's veterans, the department relies
heavily on information technology, for which it is requesting about $2.1
billion in funding for fiscal year 2006. The CIO will play a vital role in
ensuring that this money is well spent and that information technology is
managed effectively. As we have previously reported, an effective CIO can
make a significant difference in building the institutional capacity that
is needed to improve an agency's ability to manage information and
technology and thus enhance program performance.

At your request, we will discuss the role of CIOs in the federal
government, present for comparison the results of our study of
private-sector CIOs, and provide a historical perspective on the roles and
responsibilities of VA's CIO.

In developing this testimony, we reviewed our previous work in this area.
All work covered in this testimony was performed in accordance with
generally accepted government auditing standards.

Since the Clinger-Cohen act established the CIO position in 1996, 1
federal CIOs have played a central role in managing information and
technology within federal agencies. According to CIOs at major departments
and agencies, 2 they generally held wide responsibilities and reported to
their agency heads or other top level managers. In general, CIOs reported
that they were responsible for key information and technology management
areas; for example, all the

1

40 U.S.C. 11101, et seq.

2

GAO, Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges, GAO-04-823 (Washington, D.C.: July
21, 2004).

Page 1 GAO-06-201T

CIOs were responsible for five key areas (capital planning and investment
management, information security, IT human capital, strategic planning for
information technology and information resource management, and enterprise
architecture). In carrying out these responsibilities, the tenure of
federal CIOs was often less than the length of time that some experts
consider necessary for them to be effective and implement changes: the
median tenure was about 2 years, and the most common response regarding
time required to be effective was 3 to 5 years. In contrast, CIOs were
generally helped in carrying out their responsibilities by the background
and experience they brought to the job. Although their background was
varied, most had background in information technology (IT) or related
fields, many having previously served as CIOs; many also had business
knowledge related to their agencies, having previously worked either at
the agency or in an area related to its mission. Other factors that help
CIOs meet their responsibilities effectively are described in guidance 3
that we have issued; key among these are

(1) being supported by senior executives who recognize the importance to
their missions of IT and an effective CIO; (2) playing an influential role
in applying IT to business needs; and (3) being able to structure their
organizations appropriately. At the same time, CIOs cited several
challenges, of which the two most frequently mentioned were implementing
effective IT management and obtaining sufficient and relevant resources.

Private-sector CIOs reported responsibilities, challenges, and approaches
to information and technology governance that are similar but not
identical to those of their federal counterparts. Most of the
private-sector CIOs we contacted had either sole or shared responsibility
for the key management areas we explored, which corresponded to those that
we reported on in our federal agency review. 4 Among the areas in which
most of the private-sector CIOs

GAO, Maximizing the Success of Chief Information Officers: Learning from
Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001).

4 GAO-04-823.

Page 2 GAO-06-201T

had or shared responsibility, 18 or more of the 20 we contacted 5 cited
five information and technology management areas (capital planning and
investment management, information security, human capital for managing
information resources, systems acquisition, and e-commerce); the first
three of these were also responsibilities of all federal CIOs, and the
last two were responsibilities of 90 percent of federal CIOs. 6 The
challenges cited by the private-sector CIOs were also similar to those
cited by federal CIOs. Both private-sector and federal CIOs noted
improving various IT management processes (e.g., IT investment decision
making), developing IT leadership and skills, working with enterprise
architectures, and ensuring the security of systems. To manage their IT,
the private-sector companies used both centralized and decentralized
organizational structures: in some, authority is centralized in the CIO's
office, while in others, it is decentralized in the business units,
depending on other events in the company such as strategic realignments
and acquisitions. Most of the private-sector companies had executive
committees with authority and responsibility for governing major IT
investments. Many private-sector CIOs also told us that they were making
efforts to move toward common business processes, such as by instituting
cross-organizational teams to work on developing enterprisewide systems
and standards.

With regard to VA, both the CIO position and IT management have received
increased management attention over time. After going for 2 1/2 years
after the passage of the Clinger-Cohen Act without a CIO, followed by 2
years with an executive whose time was divided among CIO and other major
duties, and then 1 year with an acting CIO, the department appointed a
full-time permanent CIO in August 2001. Since then, the department
proposed further strengthening the position and centralizing IT
management, recognizing that aspects

5

Private-sector organizations contacted were Avnet, AARP, Booz Allen
Hamilton, Capital One Financial, Cisco Systems, General Electric, General
Motors, Georgia-Pacific, IBM, Lear Corporation, PEPCO, PepsiCo, Pioneer
Natural Resource, Unisys, University of Arizona, Wal-Mart, Manpower,
Spectrum Brands (formerly Rayovac), American Family Mutual Insurance, and
Lands' End.

6

We considered responsibility for major e-government initiatives to be the
federal equivalent of responsibility for e-commerce.

Page 3 GAO-06-201T

                                   Background

of its computing environment were particularly challenging and required
substantial management attention. In particular, the department's
information systems and services were highly decentralized, and a large
proportion of the department's IT budget was controlled by the VA's
administrations and staff offices. To address these challenges, the
Secretary issued a memo in 2002 announcing that IT functions, programs,
and funding would be centralized under the department-level CIO. Although
we have not reviewed the current status of this proposed realignment or
VA's current organizational structure, it remains our view that the
proposal held promise for improving IT accountability and enabling the
department to accomplish its mission. The additional oversight afforded
the CIO could have a significant impact on the department's ability to
more effectively account for and manage its approximately $2.1 billion in
planned IT spending.

VA comprises three major components: the Veterans Benefits Administration
(VBA), the Veterans Health Administration (VHA), and the National Cemetery
Administration (NCA). 7 VA's mission is summed up in its mission
statement, a quotation from Abraham Lincoln: "to care for him who shall
have borne the battle and for his widow and his orphan." VA carries out
this mission by providing benefits and other services to veterans and
dependents.

The department's vision is to be a more customer-focused organization,
functioning as "One VA." This vision stemmed from the recognition that
veterans think of VA as a single entity, but often encountered a
confusing, bureaucratic maze of uncoordinated programs that put them
through repetitive and frustrating administrative procedures and delays.
The "One VA" vision is to create versatile new ways for veterans to obtain
services and

7

VBA provides nonmedical benefits to veterans and their dependents; VHA
provides services through the nation's largest health-care system; and NCA
provides burial services in 115 national cemeteries.

Page 4 GAO-06-201T

information by streamlining interactions with customers and integrating IT
resources to enable VA employees to help customers more quickly and
effectively. This vision will require modifying or replacing separate
information systems with integrated systems using common standards to
share information across VA programs and with external partner
organizations, such as the Department of Defense. Accordingly, effective
management of its IT programs is vital to VA's successful achievement of
its vision and mission.

Table 1 shows a breakdown of VA's approximately $2.1 billion IT budget
request for fiscal year 2006. Of the total, VHA accounted for
approximately $1.8 billion, VBA approximately $150 million, and NCA
approximately $11 million. The remaining $84 million was designated for
the department level.

Table 1: Breakdown of VA's Fiscal Year 2006 Information Technology Budget
Request (in millions)

                              Organization Request

                                 VHA $1835 88%

                                   VBA 150 7%

                                   NCA 11 <1%

                                Department 84 4%

                                  Total $2080

                        Source: GAO analysis of VA data.

  CIO Plays Major Role in Federal IT Management

The Congress has long recognized that IT has the potential to enable
federal agencies to accomplish their missions more quickly, effectively,
and economically. However, fully exploiting this potential presents
challenges to agencies. Despite substantial IT investments, the federal
government's management of information resources has produced mixed
results. One of the ways in which the Congress has addressed this issue
was to establish the CIO position; an agency's CIO is to serve as the
focal point for information and technology management within an agency.

In 1996, the Clinger-Cohen Act established the position of agency CIO and
specified responsibilities for this position. Among these
responsibilities, the act required that the CIOs in the 24 major
departments and agencies 8 have information resources management (IRM) 9
as their "primary duty." 10

The Congress has mandated that CIOs should play a key leadership role in
ensuring that agencies manage their information functions in a coordinated
and integrated fashion in order to improve the efficiency and
effectiveness of government programs and operations. 11

    CIO Responsibilities and Reporting Relationships

CIOs have responsibilities that can contribute significantly to the
successful implementation of information systems and processes. In July
2004, we reported on CIO roles, responsibilities, and challenges (among
other things) at 27 major agencies. 12 For this work, we identified major
areas of CIO responsibilities that were either statutory requirements or
critical to effective information and technology management. 13
Altogether, we identified the 13 areas shown in table 2.

8 The 24 major departments and agencies are specified in 31 U.S.C. 901.

9

IRM is the process of managing information resources to accomplish agency
missions and to improve agency performance.

10

The E-Government Act of 2002 reiterated agency responsibility for
information resources management. Pub. L. 107-347 (Dec. 17, 2002).

11 40 U.S.C. 11315.

12

The 27 agencies covered by our report were the Departments of Agriculture,
the Air Force, the Army, Commerce, Defense, Education, Energy, Health and
Human Services, Homeland Security, Housing and Urban Development, the
Interior, Justice, Labor, the Navy, State, Transportation, the Treasury,
and Veterans Affairs; and the Environmental Protection Agency, General
Services Administration, National Aeronautics and Space Administration,
National Science Foundation, Nuclear Regulatory Commission, Office of
Personnel Management, Small Business Administration, Social Security
Administration, and U.S. Agency for International Development.

13

GAO, Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges, GAO-04-823 (Washington, D.C.: July
21, 2004).

                   Table 2: Major Areas of CIO Responsibility

               Area of responsibility Description Applicable laws

IT capital planning and Planning and management of IT 44 U.S.C. 3506(h),
investment management capital investments 40 U.S.C. 11312 & 11313

Enterprise architecturea Developing and maintaining the OMB guidance
enterprise architecture defining the agency's mission and the information
and IT needed to perform it

Information security Ensuring agency compliance 44 U.S.C. 3506(g) with the
requirement to protect and 3544(a)(3) information and systems

IT/IRM strategic planning Performing strategic planning for 44 U.S.C.
3506(b)(2) all information and information technology management functions

IT/IRM human capital Helping agency meet IT/IRM 44 U.S.C. 3506(b),
workforce needs 40 U.S.C. 11315(c)

E-government initiativesa Supporting initiatives to use IT to 44 U.S.C.
3506(h)(3), improve government services to E-Government Act of the public
and internal 2002, other laws and operations guidance

Systems acquisition, Controlling the acquisition, 44 U.S.C. 3506(h)(5),
development, and integrationa development, and integration of 40 U.S.C.
11312

IT systems

Information Reviewing proposals for agency 44 U.S.C. 3506(c)

collection/paperwork reduction information collections to maximize their
utility and minimize public paperwork burden

Records management Ensuring that agency 44 U.S.C. 3506(f) implements and
enforces records management policies and procedures under the Federal
Records Act

Information disseminationb Ensuring that information 44 U.S.C. 3506(d)
dissemination activities meet policy goals such as timely and equitable
public access to information

Information disclosureb Ensuring appropriate information 44 U.S.C. 3506(g)
access under the Freedom of Information Act

Privacy Ensuring agency compliance 44 U.S.C. 3506(g) with the Privacy Act
and related laws

Area of responsibility Description                       Applicable laws   
Statistical policy and Performing statistical policy and 44 U.S.C. 3506(e) 
coordination           coordination functions, including 
                               ensuring the relevance,      
                             accuracy, and timeliness of    
                           information collected or created 
                          for statistical purposes          

Source: GAO analysis.

a

Three areas of responsibility-enterprise architecture; systems
acquisition, development, and integration; and e-government
initiatives-are not assigned to CIOs by statute; they are assigned to the
agency heads by law or guidance. However, in virtually all agencies, the
agency heads have delegated these areas of responsibility to their CIOs.

b

For our later private-sector study, we combined Information dissemination
and Information disclosure into a single function in order to increase
these functions' relevance for private-sector CIOs.

According to our report, CIOs were generally responsible for the key
information and technology management areas shown in the table, although
not all CIOs were completely responsible for all areas. 14 For example:

     o All the CIOs were responsible for the first five areas in the table
       (capital planning and investment management, enterprise architecture,
       information security, IT/IRM strategic planning, and IT/IRM human
       capital).
     o More than half had responsibility for six additional areas (major
       e-government initiatives, systems acquisition, information
       collection/paperwork reduction, records management, information
       dissemination, and privacy).
     o Fewer than half were responsible for two areas (information disclosure
       and statistics).

It was common for CIOs to share responsibility for certain functions, and
in some cases responsibilities were assigned to other offices. For
example, systems acquisition responsibility could be shared among the CIO
and other officials, such as a procurement executive or program executive;
disclosure could be assigned to general counsel and public affairs, while
statistical policy could be

The acting CIO at VA at the time of our review responded that the CIO was
responsible for all the activities except for statistical policy and
coordination.

Page 8 GAO-06-201T

assigned to offices that deal with the agency's data analysis. 15
Nevertheless, even for areas of responsibility that were not assigned to
CIOs, agency CIOs generally reported that they contributed to the
successful execution of the agency's overall responsibilities in that
area.

In carrying out their responsibilities, CIOs generally reported to their
agency heads. For 19 of the agencies in our review, the CIOs stated that
they had this reporting relationship. In the other 8 agencies, the CIOs
stated that they reported instead to another senior official, such as a
deputy secretary, under secretary, or assistant secretary. In addition, 8
of the 19 CIOs who said they had a direct reporting relationship with the
agency head noted that they also reported to another senior executive,
usually the deputy secretary or under secretary for management, on an
operational basis. According to members of our Executive Council on
Information Management and Technology, 16 what is most critical is for the
CIO to report to a top level official.

    Tenure and Backgrounds of CIOs

Federal CIOs often remained in their positions for less than the length of
time that some experts consider necessary for them to be effective and
implement changes. At the major departments and agencies included in our
review, the median time in the position of permanent CIOs whose time in
office had been completed was about 23 months. 17 For career CIOs, the
median was 32 months; the median for political appointees was 19 months.
To the question of how long a CIO needed to stay in office to be
effective, the most common response of the CIOs (and former agency IT
executives

15

This is particularly the case in agencies that contain Principal
Statistical Agencies, such as the Bureau of Economic Analysis (Department
of Commerce), Bureau of Justice Statistics (Department of Justice), Bureau
of Labor Statistics (Department of Labor), and others.

16

This panel of industry, state government, and academic experts provides
outside expertise to GAO on information technology issues.

17

We did not include acting CIOs in this calculation, unless the acting CIO
was later put in the permanent position. We calculated tenure since the
enactment of the Clinger-Cohen Act (1996).

whom we consulted) was 3 to 5 years. Between February 10, l996, and March
1, 2004, only about 35 percent of the permanent CIOs who had completed
their time in office reportedly had stayed in office for a minimum of 3
years. The gap between actual time in office and the time needed to be
effective is consistent with the view of many agency CIOs that the
turnover rate was high, and that this rate was influenced by the political
environment, the pay differentials between the public and private sectors,
and the challenges that CIOs face.

In contrast, the CIOs at the 27 agencies were generally helped in carrying
out their responsibilities by the background and experience they brought
to the job. The background of the CIOs varied in that they had previously
worked in the government, the private sector, or academia, and they had a
mix of technical and management experience. However, virtually all had
work experience or educational backgrounds in IT or IT-related fields; 12
agency CIOs had previously served in a CIO or deputy CIO capacity.
Moreover, most of the them had business knowledge related to their
agencies because they had previously worked at the agency or had worked in
an area related to the agency's mission.

    Success Factors and Challenges of CIOs

To allow CIOs to serve effectively in the key leadership role envisioned
by the Congress, federal agencies should use the full potential of CIOs as
information and technology management leaders and active participants in
the development of the agency's strategic plans and policies. The CIOs, in
turn, must meet the challenges of building credible organizations and
developing and organizing information and technology management
capabilities to meet mission needs.

In February 2001, we issued guidance 18 on the effective use of CIOs,
which describes the following three factors as key contributors to CIO
success:

18

GAO, Maximizing the Success of Chief Information Officers: Learning from
Leading Organizations, GAO-01-376G ( Washington, D.C.: February 2001).

Page 10 GAO-06-201T

     o Supportive senior executives embrace the central role of technology in
       accomplishing mission objectives and include the CIO as a full
       participant in senior executive decision making.
     o Effective CIOs have legitimate and influential roles in leading top
       managers to apply IT to business problems and needs. Placement of the
       position at an executive management level in the organization is
       important, but in addition, effective CIOs earn credibility and
       produce results by establishing effective working relationships with
       business unit heads.
          * Successful CIOs structure their organizations in ways that
            reflect a clear understanding of business and mission needs.
            Along with knowledge of business processes, market trends,
            internal legacy structures, and available IT skills, this
            understanding is necessary to ensure that the CIO's office is
            aligned to best serve agency needs.
          * The CIO study that we reported on in July 2004 also provides
            information on the major challenges that federal CIOs face in
            fulfilling their duties. 19 In particular, CIOs view IT
            governance processes, funding, and human capital as critical to
            their success, as indicated by two challenges that were cited by
            over 80 percent of the CIOs: implementing effective information
            technology management and obtaining sufficient and relevant
            resources.
     o Effective IT management. Leading organizations execute their
       information technology management responsibilities reliably and
       efficiently. A little over 80 percent of the CIOs reported that they
       faced one or more challenges related to implementing effective IT
       management practices at their agencies. This is not surprising given
       that, as we have previously

reported, the government has not always successfully executed the IT
management areas that were most frequently cited as challenges

GAO, Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges, GAO-04-823 (Washington, D.C.: July
21, 2004).

Page 11 GAO-06-201T

by the CIOs-information security, enterprise architecture, investment
management, and e-gov. 20

0M Sufficient and relevant resources. One key element in ensuring an
agency's information and technology success is having adequate resources.
Virtually all agency CIOs cited resources, both in dollars and staff, as
major challenges. The funding issues cited generally concerned the
development and implementation of agency IT budgets and whether

certain IT projects, programs, or operations were being adequately funded.

We have previously reported that the way agency initiatives are originated
can create funding challenges that are not found in the private sector. 21
For example, certain information systems may be mandated or legislated, so
the agency does not have the flexibility to decide whether to pursue them.
Additionally, there is a great deal of uncertainty about the funding
levels that may be available from year to year.

The government also faces long-standing and widely recognized challenges
in maintaining a high-quality IT workforce. In 1994 and 2001, we reported
on the importance that leading organizations placed on making sure they
had the right mix of skills in their IT workforce. 22 About 70 percent of
the agency CIOs reported on a number of substantial IT human capital
challenges, including, in

20

See, for example, GAO, High-Risk Series: Protecting Information Systems
Supporting the Federal Government and the Nation's Critical
Infrastructures ; GAO-03-121 (Washington, D.C.: Jan. 1, 2003); Information
Technology Management: Governmentwide Strategic Planning, Performance
Measurement, and Investment Management Can Be Further Improved, GAO-04-49
(Washington, D.C.: Jan. 12, 2004); Information Technology: Leadership
Remains Key to Agencies Making Progress on Enterprise Architecture
Efforts, GAO-04-40 (Washington, D.C.: Nov. 17, 2003); and Major Management
Challenges and Program Risks: A Governmentwide Perspective, GAO-03-95
(Washington, D.C.: January 2003).

21

GAO, Chief Information Officers: Implementing Effective CIO Organizations,
GAO/T- AIMD-00-128 (Washington, D.C.: Mar. 24, 2000).

22

GAO, Executive Guide: Improving Mission Performance through Strategic
Information Management and Technology, GAO/AIMD-94-115 (Washington, D.C.:
May 1, 1994) and GAO-01-376G.

some cases, the need for additional staff. Other challenges included
recruiting, retention, training and development, and succession planning.

In addition, two other commonly cited challenges were communicating and
collaborating (both internally and externally) and managing change.

0M Communicating and collaborating. Our prior work has shown the
importance of communication and collaboration, both within an agency and
with its external partners. For example, one of the critical success
factors we identified in our guide focuses on the CIO's ability to
establish his or her organization as a central player in the enterprise.
23 Ten agency CIOs reported that

     communication and collaboration were challenges. Examples of internal
              communication and collaboration challenges included

(1)
           cultivating, nurturing, and maintaining partnerships and alliances
           while producing results in the best interest of the enterprise and

(2)
           establishing supporting governance structures that ensure two-way
           communication with the agency head and effective communication
           with the business part of the organization and component entities.
           Other CIOs cited activities associated with communicating and
           collaborating with outside entities as challenges, including
           sharing information with partners and influencing the Congress and
           OMB.

0M Managing change. Top leadership involvement and clear lines of
accountability for making management improvements are critical to
overcoming an organization's natural resistance to change, marshaling the
resources needed to improve management, and building and maintaining
organizationwide commitment to new ways of doing business. Some CIOs
reported challenges associated with implementing both changes originating
from their own initiative and

changes from outside forces. Implementing major IT changes can involve not
only technical risks but also nontechnical risks, such as

23 GAO-01-376G.

those associated with people and the organization's culture. Six CIOs
cited dealing with the government's culture and bureaucracy as challenges
to implementing change. Former agency IT executives also cited the need
for cultural changes as a major challenge facing CIOs. Accordingly, in
order to effectively implement change, it is important that CIOs build
understanding, commitment, and support among those who will be affected by
the change.

Effectively tackling these reported challenges can improve the likelihood
of a CIO's success. Until these challenges are overcome, federal agencies
are unlikely to optimize their use of information and technology, which
can affect an organization's ability to effectively and efficiently
implement its programs and missions.

  The CIO Position in the Private Sector Has Similarities to the Federal CIO
  Position

In September 2005, 24 we reported the results of our study of CIOs at
leading private-sector organizations, in which we described the CIOs'
responsibilities and major challenges, as well as private-sector
approaches to information and technology governance.

The set of responsibilities assigned to CIOs in the private sector were
similar to those in the federal sector. In most areas, there was little
difference between the private and federal sectors in the percentage of
CIOs who had or shared a particular responsibility. In 4 of the 12
areas25-enterprise architecture, strategic planning, information
collection, and information dissemination and disclosure-the difference
between the private- and federal-sector CIOs was greater; in each case,
fewer CIOs in the private sector had

24

GAO, Chief Information Officers: Responsibilities and Information
Technology Governance at Leading Private-Sector Companies, GAO-05-986
(Washington, D.C.: Sept. 9, 2005).

25

As mentioned earlier, we reduced the 13 areas reviewed in the federal CIO
study to 12 in the private-sector study by combining information
dissemination and information disclosure into a single function. In
addition, we treated e-government in the public sector as equivalent to
e-business/e-commerce in the private sector.

Page 14 GAO-06-201T

these responsibilities. In all, the six functions least likely to be the
CIO's responsibility in the federal sector were equivalent to the five
functions least likely to be his or her responsibility in the private
sector. 26 Some of the federal CIOs' functions, such as information
collection and statistical policy, did not map directly to the management
areas in several of the private-sector organizations we contacted.

Figure 1 compares federal and private-sector CIO responsibilities for the
12 areas, showing the percentage of CIOs who had or shared responsibility
for each area.

As mentioned, information dissemination and information disclosure were
treated as two areas in the federal study.

Page 15 GAO-06-201T

Figure 1: Comparison of the Extent to Which Private-Sector and Federal CIOs Are
                        Responsible for Management Areas

Among the private-sector CIOs, it was common to share responsibility with
either business units or corporate functional areas; these sharing
relationships accounted for almost a third of all responses. Among federal
CIOs, the sharing of responsibility was not described in as many areas.

    Challenges Identified by Private-Sector CIOs

Approximately half of all the private-sector CIOs described four major
challenges:

Page 16 GAO-06-201T

     o Aligning IT with business goals was cited by 11 of the CIOs. This
       challenge requires the CIOs to develop IT plans to support their
       companies' business objectives. In many cases this entails
       cross-organization coordination and collaboration.
     o Implementing new enterprise technologies (e.g., radio frequency
       identification, enterprise resource planning systems, and customer
       relationship management systems) was cited by 8 of the CIOs. This
       challenge requires the broad coordination of business and corporate
       units.
     o Controlling IT costs and increasing efficiencies was cited by 9 of the
       CIOs. Several CIOs explained that by controlling costs and providing
       the same or better service at lower cost, they are able to contribute
       to their companies' bottom lines. A few CIOs also said that they
       generate resources for new investments out of the resources freed up
       by cost savings.
          * Ensuring data security and integrity was cited by 9 of the CIOs.
            Closely associated with this challenge was ensuring the privacy
            of data, which was raised by 6 CIOs.
          * Additional management challenges commonly raised by the
            private-sector CIOs included
     o developing IT leadership and skills (7),
     o managing vendors, including outsourcing (7),
          * improving internal customer satisfaction (5).
          * Additional technical challenges commonly raised by the
            private-sector CIOs included
     o implementing customer service/customer relationship management (CRM)
       systems (7),
     o identifying opportunities to leverage new technology (6),
     o integrating and enhancing systems and processes (5), and
     o rationalizing IT architecture (5).

The challenges mentioned by the private-sector CIOs overlapped with those
mentioned by federal CIOs in our previous study. Improving various IT
management processes was mentioned by several private-sector CIOs (e.g.,
IT investment decision making) as well as by federal CIOs, as was
developing IT leadership and skills. In technology-related areas, both
private-sector and federal CIOs mentioned working with enterprise
architectures and ensuring the security of systems as challenges.

Although the challenges mentioned by private-sector CIOs resembled those
mentioned by federal CIOs, there were a few differences. Private-sector
CIOs mentioned challenges related to increasing IT's contribution to the
bottom line-such as controlling costs, increasing efficiencies, and using
technology to improve business processes-while federal CIOs tended to
mention overcoming organizational barriers and obtaining sufficient
resources.

    IT Governance in the Private Sector

When asked to describe how the governance of information management and
technology is carried out in their companies, 16 of the 20 private-sector
companies told us that they had an executive committee with the authority
and responsibility for governing major IT investments. As part of the
governance of IT assets in their companies, nine of the CIOs said that
they shared responsibility for IT investment management and that their
involvement ranged from providing strong leadership to reviewing plans to
ensure that they complied with corporate standards.

Many of the private-sector CIOs were actively working to increase
coordination among business units to enhance their governance process.
Seven of the CIOs described efforts under way to implement enterprisewide
financial and supply chain systems, which will move the companies to
common business processes. Six CIOs also described using
cross-organizational teams (sometimes called centers of excellence), which
drive these broad collaborative efforts and others, such as the
establishment of standards and common practices.

With regard to the governance of the development of new systems, many of
the private-sector CIOs described a process in which they collaborated
closely with business units and corporate functional units in planning and
developing systems to meet specific needs.

The extent of the CIOs' involvement ranged from providing strong
leadership and carrying out most activities to reviewing the other
components' plans to ensure that they complied with corporate standards.

With regard to sharing authority for decisions on the management of IT
assets, several CIOs spoke of balancing between centralization and
decentralization of authority and described their efforts to move between
the two extremes to find the right balance. The appropriate balance often
depended on other events occurring in the companies, such as major
strategic realignments or acquisitions. For example, one CIO described his
current evolution from a relatively decentralized structure-an artifact of
a major effort to enable growth in the corporation-to a more centralized
structure in order to reduce costs and drive profits.

  Roles and Responsibilities of the CIO Position at VA Have Evolved over Time

Since enactment of the Clinger-Cohen Act in 1996, the roles and
responsibilities of VA's Chief Information Officer have evolved. From
lacking a CIO entirely, the department has taken steps to address the
challenges posed by its multiple widespread components and its
decentralized information technology and services.

In June 1998, VA assigned CIO responsibility to a top manager. 27 However,
we reported in July 1998 28 that the person holding the CIO position at VA
had multiple additional major responsibilities, as this person also served
as Assistant Secretary for Management, Chief Financial Officer, and Deputy
Assistant Secretary for Budget. According to the act, the CIO's primary
responsibility should be

27

Section 5604 of the Clinger-Cohen Act specifically created the position of
Chief Information Officer at VA effective August 8, 1996. See 38 U.S.C. S:
310.

28

GAO, VA Information Technology: Improvements Needed to Implement
Legislative Reforms, GAO/AIMD-98-154 (W ashington, D.C.: July 7, 1998).

Page 19 GAO-06-201T

information and technology management. Noting that VA's structure was
decentralized, its IT budget was large, and its CIO faced serious
information and technology management issues, we recommended that the
Secretary appoint a CIO with full-time responsibilities for IRM.
Concurring with the recommendation, VA established the position of
Assistant Secretary for Information and Technology to serve as its CIO.

As of May 2000, however, the position of Assistant Secretary for
Information and Technology was vacant, and as we reported at the time, 29
it had been unfilled since its creation in 1998. The Secretary then
created and filled the position of Principal Deputy Assistant Secretary
for Information and Technology, designating that person as VA's acting CIO
until an Assistant Secretary could be appointed. The Secretary also
realigned IRM functions within VA under this position, which reported
directly to the Secretary.

As we reported, 30 the Principal Deputy Assistant Secretary was involved
in IT planning issues across the department. In addition to advising the
Secretary on IT issues, he served as chair of the department's CIO Council
and as a member of the department's Capital Investment Board, and he
worked with the CIOs in VBA and VHA (at the time, NCA had no CIO).
According to this official, one of his priorities was to ensure that IT
activities in VBA and VHA were in concert with VA's departmentwide
efforts.

In August 2001, VA filled the CIO position. In March 2002, 31 we testified
that this hiring was one of the important strides that the Secretary of
Veterans Affairs had made to improve the department's IT leadership and
management, along with making a commitment to reform the department's use
of IT.

29

GAO, Information Technology: Update on VA Actions to Implement Critical
Reforms, GAO/AIMD-00-74 (Washington, D.C.: May 11, 2000).

30

GAO/AIMD-00-74 .

31

GAO, Progress Made, but Continued Management Attention Is Key to Achieving
Results, GAO-02-369T (Washington, D.C.: Mar. 13, 2002).

Page 20 GAO-06-201T

On June 29, 2003, the CIO retired after a tenure of almost 2 years (about
the median length of tenure for federal CIOs, as discussed above); the
current CIO was confirmed in January 2004.

Figure 1 is a time line showing the history of the CIO position at VA
since the passage of the Clinger-Cohen Act.

    Figure 1: Time Line of CIO Tenure at VA

August 1996: CIO July 1998: CIO June 2000: Deputy assistant June 29, 2003:
position established by responsibilities assigned secretary position
established; CIO retired; deputy Clinger-Cohen Act to VA executive acting
CIO in position acts as CIO

August 2001: CIO 
January 2004: CIO

confirmed confirmed

Vacant CIO with multiple responsibilities Acting Permanent dedicated
position

                                  Source: GAO.

    VA Proposed to Realign its IT Organization in Response to IT Management
    Challenges

Our prior work highlighted some of the challenges that the CIO faced as a
result of the way the department was organized to carry out its IT
mission. 32 Among these challenges was that information systems and
services were highly decentralized, and the VA administrations and staff
offices controlled a majority of the department's IT budget. For example,
in VA's information technology budget for fiscal year 2002 of
approximately $1.25 billion, VHA controlled about $1.02 billion (over 80
percent), whereas the department level controlled about $60.2 million
(less than 5 percent).

32

GAO, VA Information Technology: Important Initiatives Begun, Yet Serious
Vulnerabilities Persist, GAO-01-550T (Washington, D.C.: Apr. 4, 2001) and
VA Information Technology: Progress Made, but Continued Management
Attention Is Key to Achieving Results, GAO-02-369T (Washington, D.C.: Mar.
13, 2002).

Page 21 GAO-06-201T

In addition, we noted that there was neither direct nor indirect reporting
to VA's cyber security officer-the department's senior security
official-thus raising questions about this person's ability to enforce
compliance with security policies and procedures and ensure accountability
for actions taken throughout the department. The more than 600 information
security officers in VA's three administrations and its many medical
facilities throughout the country were responsible for ensuring the
department's information security, although they reported only to their
facility's director or to the chief information officer of their
administration.

Given the large annual funding base and decentralized management
structure, we testified that it was crucial for the departmental CIO to
ensure that well-established and integrated processes for leading,
managing, and controlling investments are commonplace and followed
throughout the department. This is consistent with the finding in our CIO
review that implementation of IT management practices was a challenge;
over half of federal CIOs identified IT investment management
specifically.

Recognizing weaknesses in accountability for the department's IT resources
and the need to reorganize IT management and financing, the Secretary
announced a realignment of the department's IT operations in a memorandum
dated August 2002. According to the memorandum, the realignment would
centralize IT functions, programs, workforce personnel, and funding into
the office of the department-level CIO. In particular, several significant
changes were described:

     o The CIOs in each of the three administrations-VHA, VBA, and NCA-were
       to be designated deputy CIOs and were to report directly to the
       department-level CIO. Previously, these officials served as
       component-level CIOs who reported only to their respective
       administrations' under secretaries.
          * All administration-level cyber security functions were to be
            consolidated under the department's cyber security office, and
            all monies earmarked by VA for these functions were to be placed
            under the authority of the cyber security officer. Information
          * security officers previously assigned to VHA's 21 veterans
            integrated service networks 33 would report directly to the cyber
            security officer, thus extending the responsibilities of the
            cyber security office to the field.
     o Beginning in fiscal year 2003, the department-level CIO would assume
       executive authority over VA's IT funding.

In September 2002, 34 we testified that in pursuing these reforms, the
Secretary demonstrated the significance of establishing an effective
management structure for building credibility in the way IT is used, and
took a significant step toward achieving a "One VA" vision. The
Secretary's initiative was also a bold and innovative step by the
department-one that has been undertaken by few other federal agencies. For
example, of 17 agencies contacted in 2002, 8 reported having
component-level CIOs, none of which reported to the department-level CIO.
Only one agency with component-level CIOs reported that its
department-level CIO had authority over all IT funding.

We also noted that the CIO's success in managing IT operations under the
realignment would hinge on effective collaboration with business
counterparts to guide IT solutions that meet mission needs, and we pointed
out the importance of the three key contributors to CIO success described
in our 2001 guidance (discussed earlier). 35

Although we have not reviewed the current status of this proposed
realignment or VA's current organizational structure, it remains our view
that the proposed realignment held promise for building a more solid
foundation for investing in and improving the department's accountability
over IT resources. Specifically, under

33

The veterans integrated service network (VISN) is the basic budgetary and
planning unit of the veterans health care system. Funding and other
resources are distributed through the VISN. Each VISN covers a geographic
area that encompasses a population of veteran beneficiaries.

34

GAO, VA Information Technology: Management Making Important Progress in
Addressing Key Challenges, GAO-02-1054T (Washington, D.C.: Sept. 26,
2002).

35

GAO, Maximizing the Success of Chief Information Officers: Learning from
Leading Organizations, GAO-01-376G ( Washington, D.C.: February 2001).

the realignment the CIO would assume budget authority over all IT funding,
including authority to veto proposals submitted from subdepartment levels.
This could have a significant effect on VA's accountability for how
components are spending money. 36

To sum up, the CIO plays a vital role in ensuring that VA's funds are well
spent and in managing information technology to serve our nation's
veterans. In our view, the realignment of VA's IT organization proposed in
2002 held promise for improving accountability and enabling the department
to accomplish its mission. The additional oversight afforded the CIO could
have a significant impact on the department's ability to more effectively
account for and manage its proposed $2.1 billion in planned IT spending.

Mr. Chairman, this concludes my statement. I would be pleased to respond
to any questions that you or other members of this Committee may have at
this time.

  Contacts and Acknowledgements

For information about this testimony, please contact Linda D. Koontz,
Director, Information Management Issues, at (202) 512-6240 or at
[email protected]. Contact points for our Offices of Congressional Relations
and Public Affairs may be found on the last page of this statement.
Individuals making key contributions to this testimony include Barbara
Collier, Lester Diamond, Barbara Oliver, and J. Michael Resser.

36

GAO, VA Information Technology: Progress Continues Although
Vulnerabilities Remain, GAO/T-AIMD-00-321 (Washington, D.C.: Sept. 21,
2000).

Page 24 GAO-06-201T

    (310747)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

    GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov) . Each weekday, GAO posts GAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To

have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

                             Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

    To Report Fraud, Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

    E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Relations
Washington, D.C. 20548

Paul Anderson, Managing Director, [email protected] (202) 512-4800

    Public Affairs

U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

      PRINTED ON

RECYCLED PAPER
*** End of document. ***