Federal agencies consistently use at least some OMB guidance in assessing the risk of their IT projects but overall they understate that risk, GAO has said.
GAO was examining agency compliance with the Federal Information Technology Acquisition Reform Act, which among other things requires the government to make available to the public a list of each major IT investment including data on cost, schedule, and performance. OMB does so via the Federal IT Dashboard—its public website that reports on major IT investments, including ratings from agency CIOs which should reflect the level of risk facing an investment.
OMB has suggested six factors to consider in risk ratings, taking into account such considerations as risk management, requirements management, and historical performance. All 17 agencies GAO reviewed at least two of OMB’s factors and nine used all of them.
“However, agencies’ interpretations of these factors varied. For example, most agencies considered active risks, such as funding cuts or staffing changes, when rating investments, but others only evaluated compliance with the agency’s risk management processes. Further, 13 agencies required monthly updates to CIO ratings, 1 agency scheduled its reviews based on risk, and 3 agencies required updates less often than on a monthly basis,” said the report.
Of the 95 investments reviewed, GAO’s assessments matched the CIO ratings 22 times, showed more risk 60 times, and showed less risk 13 times.
GAO made recommendations to 15 agencies, 12 of which agreed or did not comment while the others said they believe their risk assessments are adequate—a view that GAO said it does not share.
