Information Technology: SSA Has Taken Key Steps for Managing Its Investments, but Needs to Strengthen Oversight and Fully Define Policies and Procedures

SSA provided evidence of comprehensive policies and procedures defining the investment governance process that responded to each aspect of GAO's recommendation. Specifically, the agency provided evidence of investment board operating procedures, including procedures for the Strategic Information Technology Assessment and Review (SITAR) Board's composition on its involvement in SSA's May 2012 Capital Planning and Investment Control (CPIC) process. The Board's responsibilities and procedures outlined in the CPIC guide include ensuring all IT investment decisions are consistent with policies and guidelines, reviewing and approving changes to the current SSA IT plan, reallocation or adjustment of resources out of the investment cycle, consideration and approval/denial of emergency proposals, reviewing projects' health, and ensuring execution of its decisions. SSA's CPIC guidance, along with other documentation provided, outlines delegations of authority for the SITAR Board; Portfolio Executive Boards; and offices, such as the Office of Acquisitions and Grants. For example, SSA's SITAR Board charter explains that the SITAR Board acts as the executive body for SSA's initiatives and projects. Further, the delegations of authority outlined in the Board's charter and CPIC guidance provide the SITAR Board with centralized investment and portfolio management responsibilities which allow for more effective oversight of the CPIC process. SSA's CPIC guidance also includes information on the agency's criteria for prioritizing new and ongoing investments. According to the guidance, investments' cost, benefit, schedule, alignment with agency goals and risk information are assessed, validated, and used as core selection criteria in the select phase and then ranked against other investments. The prioritized list is then used by senior executives to make decisions on which investments will be submitted in portfolios to the SITAR for review and funding approval based on mission needs and agency priorities.

SSA's Capital Planning and Investment Control (CPIC) guide outlines the board's oversight responsibilities for addressing underperforming projects. SSA's CPIC guidance outlines procedures for referring project performance problems to the Strategic Information Technology Assessment and Review (SITAR) board. Further, the guide outlines the board's participation in Techstat reviews. SSA TechStat reviews are not limited to major investments and any project that is not performing as expected can be selected for review of its program performance data and opportunities for corrective action. SSA explained that quarterly SITAR meetings include summary-level reviews of each of the agency's Major IT Initiatives, and the outcomes of the sessions are formalized and followed up through completion, with the goal of terminating or turning around underperforming IT investments. SITAR Board members are also responsible for reviewing verified data on IT investments' actual performance, including cost, schedule, benefit and risk performance. Also, the SITAR Board's role in Project Health Assessments is outlined in the CPIC guide. According to the guide, Project Health Assessments are conducted on a quarterly basis; include reviewing project issues related to design, scope, schedule, risk, functionality, and acceptance; and can be used to identify under-performing projects in need of corrective action.

In response to our recommendation, the agency began using its Action Control Tracking System to track the status of corrective actions for underperforming IT projects. Specifically, corrective actions are entered and tracked in the system. In this regard, the system (1) allows for the automatic generation of emails requiring status updates that include a summary of the action items, (2) maintains a table showing staff assigned to make corrections, and (3) tracks the status of the corrective actions to completion.

In response to this recommendation, SSA's updated CPIC guide outlines methods used to define portfolio criteria. Strategic Objective Portfolios are established and managed through SSA's CPIC process to ensure alignment with agency strategic planning, performance plan goals, and strategic IRM planning. Sections 2.2 of the CPIC Guide discuss SSA's IT Portfolio Management and explains that SSA utilizes a portfolio-based approach to investment management and review that supports agency strategic goals while minimizing redundancy between investments. Further, SSA's IT Portfolio management processes group IT investments into portfolios based on mission areas, strategic goals, objectives, and infrastructure requirements. SSA portfolios have established vision statements that include objectives that align with and help meet agency goals. Portfolio criteria are established in step one of the SSA IT Planning Process and SSA's IRM Strategic Plan outlines four strategic goals and their subordinate objectives. The plan also includes a chart outlining the performance management framework and how specific projects within portfolios support the prioritization of resources, performance measures, and strategic goals. SSA also provided a chart outlining its IT planning process which explains that the SITAR Board provides guidance on the agency's priorities, as well as makes recommendations to the Deputy Commissioner for Systems/CIO, who does a final review of the agency IT Plan, containing all proposed portfolios, prior to approval.

SSA has established portfolio-level performance evaluation policies and procedures and criteria for assessing portfolio performance. SSA released an updated version of its Capital Planning and Investment Control (CPIC) Guidance in May 2012. This guidance included a comprehensive portfolio management process. The guide outlines both policies and procedures used for portfolio-level performance evaluations, as well as criteria for assessing portfolio performance. Comprehensive performance data development, collection, and review processes are outlined in the guidance for continuous review as part of the agency's CPIC process. These metrics and related procedures are applied to investments and carried up to support portfolio health assessments, and include cost benefit analyses, returns on investments, and benefit value scores; risk identification and assessment techniques; and criticality and urgency assessments. On a quarterly basis, the collection, review, and reporting on a project's health occurs with consideration given to performance indicators such as design, scope, schedule, risk, functionality, and acceptance. Portfolio executives meet with DCS Associate Commissioners supporting the portfolio to review and address any health issues. The results of the health collection process are stored on health dashboards. In addition, program managers document quarterly project accomplishments and any issues or risks. The SITAR Board's charter states that a main purpose of the board is to achieve the goals of the Agency Strategic Plan and meet the business needs of the agency; the Board is to meet quarterly. The Board also reviews verified data on IT investments' actual performance against stated expectations.