Chief Information Officers: Implementing Effective CIO Organizations
(Testimony, 03/24/2000, GAO/T-AIMD-00-128).
Pursuant to a congressional request, GAO discussed the role of chief
information officers (CIO) in the federal government.
GAO noted that: (1) as the federal government moves to fully embrace the
digital age and focuses on electronic government initiatives, leadership
in the management of the government's information resources is of
paramount importance; (2) yet a CIO, alone, cannot ensure the successful
implementation of information management reforms; (3) rather, the CIO
must be buttressed by the full support of agency heads, the commitment
of line managers, clearly defined roles and responsibilities, effective
measures of performance, highly skilled and motivated information
technology (IT) professionals, and a range of other factors; (4) the
practices and key characteristics defined in GAO's CIO guide can put
agencies on the right path toward incorporating these ingredients; (5)
moreover, they can help agencies and their CIOs to identify and correct
underlying information management weaknesses that have undermined their
modernization initiatives; (6) they can even help ensure that agencies
will be well positioned to take advantage of cutting-edge technologies
in order transform service delivery and performance; (7) however,
implementing the practices alone is not enough; (8) to achieve real
successes, agency executives as well as Congress must provide sustained
support and attention to facilitating CIO effectiveness and addressing
any structural changes facing CIOs; and (9) using this support, CIOs
themselves must be now focused on results--making sure that IT
investments make their agencies more innovative, efficient, and
responsive.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: T-AIMD-00-128
TITLE: Chief Information Officers: Implementing Effective CIO
Organizations
DATE: 03/24/2000
SUBJECT: Information technology
Strategic information systems planning
Chief information officers
Human resources utilization
Federal employees
Performance measures
Internal controls
Reporting requirements
Information resources management
IDENTIFIER: Y2K
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Testimony. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO/T-AIMD-00-128
* For Release on Delivery
Expected at
10 a.m.
Friday,
March 24, 2000
GAO/T-AIMD-00-128
chief information officers
Implementing Effective CIO Organizations
Statement of David L. McClure
Associate Director, Governmentwide and Defense Information Systems
Accounting and Information Management Division
Testimony
Before the Subcommittee on Government Management, Information and
Technology, Committee on Government Reform, House of Representatives
United States General Accounting Office
GAO
Mr. Chairman and Members of the Subcommittee:
Thank you for inviting me to participate in today's hearing on the role of
chief information officers (CIOs) in the federal government. As you know,
Mr. Chairman, the rapid pace of technological change and innovation has
offered unprecedented opportunities for the government to use information
technology to improve operational performance, reduce costs, and enhance
service responsiveness to the public. Yet, at the same time, it has raised a
range of thorny issues surrounding managing and integrating complex
information management (IM) processes; computer hardware and software;
telecommunications networks; and, most important, aligning IT with business
needs. Consequently, it is increasingly critical that federal agencies have
effective leadership and focused management control over the government's
$38 billion in annual spending on information management and technology that
goes beyond what would be required solely in a technical support function.
Since the passage of the Clinger-Cohen Act in early 1996, all 24 major
cabinet departments and executive agencies have appointed CIOs. Spurred by
the Y2K computing problem, many have also begun implementing essential
information management processes, such as IT investment management controls,
cost estimation processes, and IT architectures. In light of these
developments, I would like to briefly touch upon the progress that has been
made in establishing federal CIOs and the challenges that remain in
achieving the long-term success of these positions. At the same time, I will
point out that in order to reap the full benefits of these reforms, more
remains to be done to ensure that federal CIOs establish themselves as
effective information management leaders, build credible IM organizations,
and deliver high-value IT investment results. I also want to introduce an
important study we have just completed, entitled Maximizing the Success of
Chief Information Officers - Learning From Leading Organizations, which can
be used to help address the challenges surrounding CIOs. We are publicly
releasing this study today; it is based on the best practices of prominent
private and state government organizations. The report suggests ways federal
agencies can go about ensuring that CIO functions are effectively integrated
into overall performance-based and accountability management approaches.
Progress Made In Establishing Federal CIO Positions
To reap the full benefits of new technologies, federal agencies must have
effective information management leaders who can transform IT dollars into
prudent investments that achieve cost savings, increase productivity, and
improve the timeliness and quality of service delivery. This was widely
recognized by the Congress in the 1990s as it worked in conjunction with the
administration to craft several key information management reform laws,
notably the Federal Acquisition Streamlining Act of 1994, the revision of
the Paperwork Reduction Act (PRA) in 1995, and the Clinger-Cohen Act of
1996. Other than the Computer Security Act of 1987, these were the first
major information management reforms instituted in the federal government
since 1980. The Clinger-Cohen Act, for example, required major departments
and agencies to appoint CIOs and implement IT management reforms largely
grounded in successful commercial IT management practices. In particular,
the act established CIO positions that report directly to the agency heads
and have IM as a primary function. As noted below, the CIOs are responsible
for a wide range of strategic and tactical information management activities
outlined in the Clinger-Cohen Act, such as developing architectures,
managing and measuring the performance of IT investment portfolios, and
assisting in work process improvements. This mirrors the evolution of the
CIO position in industry where it has largely moved from solely a technical
support focus to a much more executive and strategic level position.
Effective selection and positioning of CIOs can make a real difference in
building the institutional capacity and structure needed to implement the
management practices embodied in Clinger-Cohen and PRA. But the position is
both relatively new and evolving in the federal government, and agency
leaders face many challenges from the growing expectations for dramatic
improvements in implementing improved IT management practices and
demonstrating cost-effective results. Just finding an effective CIO can be a
difficult task, since the individual must combine a number of strengths,
including leadership ability, technical skills, an understanding of business
operations, and good communications and negotiation skills. Also, the
individual selected must match the specific needs of the agency, which must
be determined by the agency head based on the agency's mission and strategic
plan. The CIO must recognize the need to work as a partner with other
business or program executives and to build credibility in order to be
accepted as a full participant in the development of new organizational
systems and processes and to achieve successful outcomes with IT
investments.
Even with the right person in place, the agency head must make a commitment
to the success of the CIO by assuring that adequate resources are available
and a constructive management framework is in place for implementing
agencywide IT initiatives. The resolution of problems founded in unsound
investment control processes, poor project management, and weak software
development and acquisition capabilities requires executive commitment and
active support.
CIOs' progress in working with agency executives to meet these challenges
has been mixed. On the positive side, responding to the Year 2000 (Y2K) date
conversion challenge helped most agency leaders recognize the importance of
consistent and persistent top management attention to information management
and technology issues. Progress has been made in strengthening IT management
capabilities in order to rectify past failures with costly modernization
efforts, e.g., by developing IT architectures, strengthening cost-estimating
processes, and improving software acquisition capabilities. In addition, in
responding to Y2K, many agencies developed inventories of their information
systems, linked those systems to agency core business processes, and
jettisoned systems of marginal value. Moreover, more agencies have
established much-needed IT policies in areas such as system configuration
management, risk management, and software testing.
According to officials at the Office of Management and Budget (OMB), the Y2K
problem also gave agency CIOs a "crash course" in how to accomplish
projects. Many CIOs were relatively new in their positions and expediting
Y2K efforts required many of them to quickly gain an understanding of their
agency's systems, work extensively with agency program managers and chief
financial officers (CFOs), and become familiar with budgeting and financial
management practices.
The Federal CIO Council has also facilitated positive developments. For
example, the Council has been working actively with the Office of Personnel
Management to develop special pay rates for hard-to-hire IT professionals.
It has facilitated the development of a web-based information consolidation
tool, which provides a standard IT budget reporting format and should assist
agencies in linking their internal planning, budgeting, and management of IT
resources. The Council also assisted administration officials in tracking
the progress of Presidential Decision Directive 63, which tasked federal
agencies with developing critical infrastructure protection plans,
identification and evaluation of information security standards, and best
practices and efforts to build communication links with the private sector.
Further, in addressing the Y2K challenge, the Council participated in
governmentwide efforts to develop best practices for Y2K conversion and to
address important issues such as acquisition and Y2K product standards, data
exchange issues, telecommunications, buildings, biomedical and laboratory
equipment, and international issues.
Still, agencies face incredible challenges in effectively managing their IT
investments and in assuring that these investments make the maximum
contribution to mission performance that is possible. Some of our recent
reviews have found that fundamental IT investment processes are incomplete
and not working consistently to help achieve better project outcomes. For
example, IT portfolio selection, control, and evaluation processes and
performance metrics have not been developed to gauge the progress of
investments or their contribution to program outcomes. Acquisitions may be
executed faster, but in many cases the link to program performance is lost
so the real value of the investment cannot be determined. In short, more
clarity could be given to how IT investments are being or will be used to
improve performance or help achieve specific agency goals and ensuring that
better data exists to guide informed decisions. Other common problem areas
include inadequate progress in designing and implementing IT architectures
before proceeding with massive modernization efforts and immature software
development, cost estimation, and acquisition practices. These are areas
where the agency heads were assigned specific responsibility in the PRA and
in the Clinger-Cohen Act, and for which CIOs were appointed to help rectify
poor agency track records.
Information security is another widespread and growing problem confronting
federal CIOs. A rash of break-ins at federal websites and disruptions caused
by the Melissa computer virus and other malicious viruses sent via the
Internet recently highlighted this concern. However, our reviews show that
this problem runs much deeper. In particular, our October 1999 analysis of
our own and inspector general audits found that 22 of the largest federal
agencies were not adequately protecting critical federal operations and
assets from computer-based attacks. Among other things, we found that
agencies are lacking the strong, centralized leadership needed to protect
critical information and assets as well as sound security planning,
effective control mechanisms, and speedy response to security breakdowns.
These weaknesses pose enormous risks to our computer systems and, more
important to the critical operations and infrastructure they support, such
as telecommunications; power distribution, national defense, and law
enforcement; government services; and emergency services. In the case of
computer security, too, the responsibility has been given to the agency
heads by the PRA and Clinger-Cohen Act with CIOs to provide support.
Clearly, more remains to be done to realize the full potential of CIOs as
information management leaders, to build CIO organizations that have the
credibility needed to be successful; to define the measures necessary to
gauge this success and demonstrate results, and to put in place the
structure for organizing information management to meet pressing business
needs. The CIO executive guide that we are releasing today is designed to
help resolve these challenges. Through our research and interviews with CIOs
and other executives in case study organizations, we have developed a
framework of critical success factors and leading principles. Federal
agencies can turn to this guide for pragmatic assistance in leveraging the
CIO position.
Learning to Maximize the Success of CIO Organizations
Some principles need to be addressed by top executives across the
organization, rather than by the CIO. For example, along with other top
executives, the chief executive officer (CEO) must recognize the role of IM
in creating value to the business before appointing a CIO. In addition, the
CEO must also undertake responsibility for defining and instituting the CIO
position. The other principles are squarely within the domain of the CIO.
For example, the CIO must take full responsibility for ensuring the
credibility of the IM organization. While other leaders can contribute to
this principle, the CIO must be seen as the leader of the unit and must
consistently raise the visibility and demonstrate the value of the IM
organization across the enterprise. Overall, the principles are strikingly
simple and strongly supported by a wide range of other CIO-based research.
Nevertheless, consistent attention and commitment often remains elusive and
pinpoints the notable difference between leading organizations and others.
Let me also underscore, Mr. Chairman, that the principles are most effective
when implemented together in a mutually reinforcing manner. As ad hoc
efforts, each principle addresses a single aspect that while necessary, is
not sufficient for success by itself. And the failure to execute a single
principle may render others less effective. Nevertheless, organizations may
find it more feasible to address one principle before another.
The Foundations for Achieving CIO Success: Consistent Critical Success
Factors and Key Characteristics
Figure 1: Critical Success Factors for CIOs
FACTORS
1. Recognize 3. Ensure the
the role of Credibility
5. Organize IM to
Each principle identified in our guide is also defined by key
characteristics. These key characteristics represent the specific approaches
we observed that contribute to the success of the CIO. For example, to
ensure the credibility of the IM organization, successful organizations
ensure that (1) the CIO model complements organizational and business needs,
(2) the CIO's roles, responsibilities, and accountabilities are clearly
defined, and (3) the CIO has the right technical and management skills to do
the job. To define performance measures, IM managers generally engage both
their internal and external partners and customers and continually work at
establishing feedback between performance measurement and business
processes.
As CIOs or senior agency executives use our guide, they may want to compare
their organization to these key characteristics to assess the extent to
which their organization resembles those we visited in the development of
our guide. They may also gain insight into what aspects of their
organization they should address as they work to enhance the effectiveness
of their CIO position. Our guide also presents case studies illustrating how
these key practices are employed within specific organizations. And it
suggests specific strategies for implementing both principles and
characteristics.
Table 1: Key Characteristics of CIO Principles
Principles Key Characteristics
Instituting an effective CIO * IM organization
organization does not start functions and processes
with the selection or are incorporated into
placement of an IM leader, or the overall business
Recognize the setting up a structure for process.
role of IM in managing information * Mechanisms and
creating value resources and activities. structures are adopted
Rather, it begins with that facilitate an
consideration of the role of understanding of IM and
IM and how vital it is to its impact on the
accomplishing mission organization's overall
objectives. strategic direction.
* The CIO model is
consistent with
organizational and
There is no one way to business needs.
establish a CIO position, but * The roles,
there are a number of responsibilities, and
accountabilities of the
Position the practices and strategies that CIO are clearly
CIO for success senior managers in leading defined.
organizations use to help
define and institute their * The CIO has the right
CIO positions to effectively technical and
meet business needs. management skills to
meet business needs.
* The CIO is a full
member of the senior
management team.
* The CIO has a
legitimate and
influential role in
Instituting a CIO position leading top managers to
consistent with organization apply IM to meet
needs and finding a credible business objectives.
leader to fill the job are no * The CIO has the
Ensure the guarantee of CIO success. commitment and trust of
credibility of CIOs themselves must employ line management.
the IM strategies to legitimize * The CIO accomplishes
organization their roles and successfully quick, high-impact, and
collaborate with their visible IM successes in
business counterparts to balance with long-term
guide IM solutions and meet strategies.
mission needs. * The CIO learns from and
partners with
successful leaders in
the organization.
In many organizations, the * IM managers engage both
value of IM is considered their internal and
difficult to measure. external partners and
However, it has become customers when defining
increasingly evident that measures.
Measure success without a measurement process * Managers at all levels
and demonstrate where results can be ensure that technical
results demonstrated, not only is IM measures are balanced
at a disadvantage when with business measures.
competing for scarce * Managers continually
resources, but also when work at establishing
making its case in support of active feedback between
IM initiatives. performance measurement
and business processes.
* The IM organization has
a clear understanding
of its
responsibilities.
* The extent of
decentralization of IM
The IM organization must resources and
provide effective, responsive decision-making is
Organize IM to support to the business driven by business
meet business through efficient allocation needs.
needs of resources and the * The structure of the IM
day-to-day execution of organization is
responsibilities. flexible enough to
adapt to changing
business needs.
* The IM organization
executes its
responsibilities
reliably and
efficiently.
* The IM organization
identifies necessary
Given prevailing market skills.
forces and internal legacies, * The IM organization
Develop IM the IM organization must develops innovative
human capital provide an effective, ways to attract and
responsive IM workforce to retain talent.
help accomplish mission and * The IM organization
goals. provides needed
training, tools, and
methods.
How Leading Organizations Compare With Federal CIO Management Practices
This lack of attention to the CIO as the focal point of IM practice in the
agency extends to the failure of agency heads to include their CIOs in
executive business decision-making. In the federal government setting, IM is
still too often treated as purely a technical support function rather than a
strategic asset critical to improving mission performance and achieving more
cost-effective results. As a result, the CIO's role is often further from
the strategic planning of the organization than in the organizations we
contacted for our guide. Moreover, federal organizations are often less
flexible in reassigning IM staff and structuring capabilities across
business and technology lines due to the highly decentralized IM
responsibilities found in many large agencies.
Also, the relative inflexibility of federal pay scales makes it difficult to
attract and retain the highly skilled IT professionals required to develop
and support the systems being proposed. I will be discussing these and other
constraints further momentarily, but I would like to point out that such
challenges tend to slow the progress of implementing other principles.
Interestingly, the practices of federal CIOs tended to be most similar to
those CIOs in our study in those principles in which CIOs could exert the
most personal control. That is, federal CIOs tend to use the same approach
to building credibility within the enterprise as our case study CIOs did. In
addition, both groups of CIOs tend to have similar problems with performance
measures and demonstrating results. Our case study CIOs had made more
advances in building links between IM and business objectives, but the
measures themselves are still evolving. On the federal side, the ties to
mission performance are not as strong, perhaps because of a lack of
collaboration between the program areas and the IM organization in the
development of mission requirements, though provisions of the Clinger-Cohen
Act are providing the motivation to improve this process.
Table 2: How Leading Organizations Compare With Federal Practices
Uses practices similar to leading organizationsTries to meet needs of
customers with a fixed organizational structure Structures the organization
primarily along IM functional areas
Critical
Principle What a Leading What the Federal
Success Factors Organization Does Government Does
* CEOs and IM generally still
governors ensure viewed as a support
that the IM function instead of
as a strategic
Recognize the Role organization is activity
of IM in Creating a key business
Value player CIO is not always
* CIO is part of
the executive involved in
decision-making strategic and
process policy-making
decisions
* Defines clear Does not always
CIO role and clearly define CIO
authorities role or authority
* Matches CIO type
and skills set Does not always
Align IM Position the CIO with business match CIO selection
Leadership for for Success needs with agency needs
Value Creation * Forges CIO
partnership with Does not always
CEO and other provide executive
senior support for the CIO
executives position
* CIO builds
credibility
through
effective IM
Promote Ensure the leadership,
Organizational Credibility of the IM good working
Credibility Organization relationships,
track records,
and partnering
with customers
and peers
* Strong links
exist between
business Weak links between
objectives agency goals and
IM/IT performance
Measure Success and measures
and Demonstrate performance
Results measures Required annual
* Performance
management performance plans
structure still in preliminary
still stages
evolving
* Reassigns IT
staff as needed
to best serve
Execute interests of
Organize IM to customers
IM Meet Business * Structures the
Needs organization
Responsibilities along business
lines as well as
IM functional
areas
* Maintains
up-to-date
professional Provides limited
skills in amount of training in
technology technology management
Develop IM Human management
Capital * Outsources Assumes entry-level
entry-level IM staff will remain
positions but in federal service as
largely hires a career
at all levels
of experience
Additional Constraints on Federal CIOs Warrant Further Attention
* First, senior executive management in the federal sector can differ
significantly from the private sector. The agency head and other top
executives are political appointees who are often more focused on
national policy issues than building capabilities essential for
achieving the desired strategic and program outcomes. This can deny the
CIO the CEO-level support that is so critical for the successful
integration of IM into the core business or mission functions. The
Clinger-Cohen Act addresses this situation by holding the agency heads
accountable for IT and requiring the CIOs to work with other executives
in the management of their agencies' information resources.
* Second, the federal budget process can create funding challenges for
the federal CIO that are not found in the private sector. For example,
certain information projects may be mandated or legislated, so the CIO
does not have the flexibility to decide whether to pursue them. This
ties up IT investment funds that might otherwise have been spent on
other priorities. Additionally, the annual budget cycle of the federal
government creates a great deal of uncertainty in funding levels
available year-to-year, particularly when IT dollars are part of
overall agency discretionary spending. The multitude of players in the
budget process can also lead to unexpected changes in funding and the
loss of the connection between budget and achievement of agency
mission. This can create dynamic decision-making challenges for
long-term investment strategies. Further, IT funds are often contained
within the appropriations for a specific program, making them less
visible. As a result, the CIO may not have control or direct oversight
of key parts of the IT funding within the agency. The Clinger-Cohen Act
addresses this by requiring fact-based decision-making for project
initiation and control. OMB is charged with reviewing the decision
support and inspecting the link between budget proposal and expected
performance outcomes.
* Third, human capital decisions in the federal sector are often
constrained relative to the flexibility found elsewhere. Current
federal IM job descriptions do not match the occupations recognized in
the IM industry today. Funds for skill refreshment are often among the
first to be scaled back in across-the-board budget cuts. The Office of
Personnel Management has also found IM salaries in the federal
government to be lower than in the private sector and incentives
available in the private sector do not exist in the federal government.
* Fourth, the federal CIO may direct an organization without the full
range of functional responsibilities that would typically be a CIO's
responsibility in the private sector. For example, some federal CIOs
are in charge of larger policy and oversight functions with little
operational responsibility. While this may be an appropriate model for
some agencies, it is critical that any model be matched with the
overall needs of the agency and legislative responsibilities in mind.
* Fifth, the range of responsibilities, as defined by legislation, that
accrue to the CIO are very broad in the federal sector, including areas
like records management, paperwork burden reduction and clearance, and
Freedom of Information Act requirements, for which there is little
parallel in the private sector. While federal CIOs often may not have
the operational responsibility for the full range of activities covered
in legislation, they are charged with ensuring that these functions are
effectively performed.
Leadership turnover; shifts in business direction, priorities, and emphasis;
changing funding levels; and human capital issues are real issues in all
organizations-public and private. As such, these constraints should not be
viewed as reasons for why the federal CIO cannot be successful. Instead,
these constraints should be recognized and anticipated so that effective
management approaches can be put in place to mitigate risks and address
accountability.
Concluding Remarks
The practices and key characteristics defined in our CIO guide can put
agencies on the right path toward incorporating these ingredients. Moreover,
they can help agencies and their CIOs to identify and correct underlying IM
weaknesses that have undermined their modernization initiatives. They can
even help ensure that agencies will be well positioned to take advantage of
cutting-edge technologies in order to transform service delivery and
performance. However, implementing the practices alone is not enough. To
achieve real success, agency executives as well as the Congress must provide
sustained support and attention to facilitating CIO effectiveness and
addressing any structural challenges facing CIOs. Using this support, CIOs
themselves must be now focused on results-making sure that IT investments
make their agencies more innovative, efficient, and responsive.
Mr. Chairman, this completes my statement. I would be happy to answer any
questions that you or Members of the Subcommittee may have.
Contact and Acknowledgments
(511704)
Orders by Internet
For information on how to access GAO reports on the Internet, send an e-mail
message with "info" in the body to:
[email protected]
or visit GAO's World Wide Web home page at:
http://www.gao.gov
Web site: http://www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
1-800-424-5454 (automated answering system)
*** End of document. ***