Legislative Analyst's OfficeAnalysis of the 2003-04 Budget Bill |
The administration proposes a model for a new state information technology governance structure consisting of three components—a State Chief Information Officer, an oversight board, and state control agencies. Our review found that the proposal lacks details and leaves many questions unanswered. As the administration presents additional information to support its model, we recommend the Legislature evaluate the proposal based on the key objectives of leadership, accountability, and oversight.
The budget includes the administration's conceptual proposal for a new information technology (IT) governance structure to support and manage the state's IT operations. The state's IT governance structure is important because of the magnitude and significance of the state's IT resources. For example, over the last ten years, the state has spent an average of about $2 billion per year on IT purposes including (1) developing, implementing, and maintaining IT systems; (2) operating data centers and telecommunication systems; and (3) purchasing new or updated hardware and software.
These annual IT expenditures are used to support every major state program. For example, the Department of Motor Vehicles uses IT to operate the state's vehicle registration program. To efficiently manage these annual IT expenditures and support state programs, the state must have an effective IT governance structure.
Since the 1980s, the state has struggled with implementing an IT governance model that provides strong leadership and guidance to the state's IT operations. From the 1980s to the mid-1990s, the Department of Finance (DOF) was solely responsible for approving and overseeing state IT projects. In 1994, after a series of failed IT projects, the Legislature restricted DOF's role solely to budgetary reviews.
Chapter 508, Statutes of 1995 (SB 1, Alquist), established the Department of Information Technology (DOIT) to provide planning and policy guidance to state IT operations. In addition, Chapter 508 authorized DOIT to approve and oversee state IT projects. From 1995 to 2002, DOIT struggled to meet most of its statutory mandates. In 2002, DOIT was not reauthorized by the Legislature and sunset at the end of 2001-02.
As we have discussed in prior publications, the state has experienced a number of problems with its IT projects and operations. Figure 1 summarizes these past problems. The lack of an effective governance structure has at least partially contributed to these problems.
Figure 1 Past Problems Experienced In State Information Technology |
|
üFailed Information Technology (IT) projects. |
üInability to correct problematic IT projects. |
üIneffective oversight of IT projects. |
üInconsistent goals and priorities. |
üUnclear and unenforced policies. |
üConflicting roles and responsibilities. |
üInability to share data and establish common systems. |
Recognizing the need for an interim governance structure, the Legislature included $2 million from the General Fund in the current-year budget for DOF to provide some oversight of IT systems. This funding was provided with the understanding that the administration would propose a permanent oversight structure in the budget year.
An IT governance model should have the capability to resolve past problems and avoid potential new ones. There are many ways to design an IT governance model. In our view, however, the state's IT governance model should be based on achieving the following three key objectives, as summarized in Figure 2:
Figure 2 Information Technology Governance Model Key Objectives |
Leadership |
üProvides direction and guidance. üSets goals and priorities. üDevelops plans and policies. |
Accountability |
üDefines roles and responsibilities. üDesignates specific authority and powers. üHelps the public hold government responsible. |
Oversight |
üMonitors information technology (IT) projects and expenditures. üDirects corrective actions to problematic IT projects. üProvides information for budget and policy decisions. |
Given the state's current fiscal situation, the administration proposes that its new IT governance structure be based on existing resources and current departments. As proposed, the new structure consists of three components: (1) a State Chief Information Officer (CIO), (2) an oversight board, and (3) control agencies.
State CIO Primarily Responsible for Strategic Planning. The CIO would be responsible for formulating plans that address the strategic and operational management of the state's IT investment. The CIO would be responsible for developing policies but would not have any day-to-day responsibilities for IT operations.
Board Would Provide Oversight of Some State IT Activities. The oversight board would consist of the DOF, Department of General Services (DGS), and the the state CIO, with two nonvoting members of the Legislature. The purpose of the board would be to review the plans developed by the state CIO, approve some state IT activities, and oversee some state IT projects. For example, the board would oversee projects with multi-million dollar budgets. Staff support to the board would be provided by existing staff from DOF and DGS.
DGS and DOF Would Provide Primary Oversight of the State's IT Activities. The DGS and DOFwould be responsible for updating and enforcing policies on procurement, project development and oversight, and fiscal reporting. Departments would be responsible for complying with these policies. Depending on the characteristics of an IT project, oversight may be provided by the department or DOF. For example, low-risk projects would be monitored by departments, and DOF would provide fiscal control over high-risk projects.
Currently, the proposal lacks details and leaves many questions unanswered. In attempting to evaluate the proposal, the Legislature will need to focus on (1) the leadership roles of the CIO and the board, (2) the authority of the board, and (3) the oversight roles of the board and the control agencies. We summarize key questions to be addressed in Figure 3.
Figure 3 Proposed IT Governance Model Questions to Be Addressed by Key Objective |
||
Leadership |
Accountability |
Oversight |
State Chief Information Officer (CIO) |
||
· What leadership role does the CIO perform? · How does the CIO establish goals and priorities? · What plans does the CIO develop?
|
· What authority and power does the CIO have? · Who approves the CIO’s plans? · Who is responsible for implementing the CIO’s plans? · What is the role of the CIO in state IT projects? · What is the role of the CIO in developing state IT policy? · How does the Legislature hold the CIO accountable? |
· Does the CIO have any oversight duties? |
Board |
||
· What leadership role does the board perform? · What is the relationship between the CIO and the board? |
· Is the board advisory or regulatory? · What authority and powers does the board have? · When and how does the board exercise its powers? · How does the Legislature hold the board accountable? · Does the board provide broad representation? · Who appoints the members of the board? |
· What are the board’s oversight duties? · What types of projects will the board oversee? · Does the board have any fiscal roles or duties? |
Control Agencies |
||
· What leadership roles do the control agencies perform? · What is the relationship between the control agencies, CIO, and the board? |
· Who is responsible for ensuring projects are consistent with state goals and priorities? · Do the control agencies receive additional authority or powers? · When and how do the control agencies exercise their powers? · Who is responsible for correcting problematic IT projects? · Who is responsible for ensuring control agencies issue and enforce their policies? |
· How is the Legislature informed regarding when and how oversight is performed? |
In addition to the questions outlined in Figure 3, our review has identified two issues for the Legislature's consideration, as described in more detail below.
Composition of Board. We are particularly concerned about the proposed composition of the board. The administration envisions a board composed entirely of administration representatives. In our view, this would not provide different and independent views. To preserve the separation of powers, we also question the desirability of having legislative membership on the board. A better composition of the board would include representatives from non-IT-related private industries, higher education, and/or local government. The Legislature could be responsible for confirming the appointment of at least a portion of these board members.
Need to Set Priorities. Even with an improved governance structure, it is unlikely that all problems can be solved in the near term. For these reasons, we recommend the Legislature set priorities as to what problems should be addressed first. Specifically, we suggest one of the first priorities should be overseeing and correcting problematic IT projects. Second, we suggest that the administration address statewide IT issues such as the role of the state data centers and establishment of common systems to share data. Finally, we recommend the Legislature set the specific timeframes in which to meet the priorities. This would enable the Legislature to hold the administration accountable for meeting legislative direction.