Federal Deposit Insurance Corporation
Co-Chairmen Capital Investment Review Committee
Washington, D.C. 22226-3500

DATE: September 17, 2004

MEMORANDUM TO: Stephen M. Beard, Deputy Assistant Inspector General for Audits

FROM: Steven O. App [Electronically produced version; original signed by Steven O. App ], Deputy to the Chairman and Chief Financial Officer

Michael E. Bartell [Electronically produced version; original signed by Michael E. Bartell], Chief Information Officer and Director, Division of Information Resources Management

SUBJECT: Draft Report Entitled, FDIC's Capital Investment Management Review Process for Information Technology Investments (Assignment Number 2004-015)

Thank you for the opportunity to comment on the above-referenced report. As you are aware, the FDIC has been actively developing and implementing a formalized capital planning and investment management (CPIM) process utilizing the GAO's Information Technology Investment Management (ITIM) framework and industry best practices. We are pleased at the considerable progress that has been made and intend to continue to institute practices to bring the FDIC's program to an even higher level of maturity.

It is important to note that implementation of the CPIM process has been occurring during a period of significant organizational change in the FDIC, in particular the ongoing DIRM transformation effort. An important component of this initiative is the establishment of a Program Management Office (PMO), which will be an additional resource to support and guide the CPIM activities. These organizational changes will impact the CPIM process as well as the ability to address the specific recommendations in the above referenced report.

Specifically, given that the future DIRM organizational structure is currently being re-defined, combined with the fact that no new capital investment projects are planned for the remainder of 2004, management has determined that it would be an inefficient use of resources to further document many of today's CPIM procedures. Rather management will focus resources on the successful implementation of the upcoming organizational changes. Upon completion of Phase II of the DIRM Transformation Plan – at which time it is believed that most of the necessary organizations will be in place – procedures will be refined and appropriately documented. Taking into account the timing of Phase II of the Transformation Plan and the degree of change anticipated, DIRM believes agreed upon corrective actions will be completed by June 30, 2006 unless otherwise specified below.

Recommendations:

Strengthen the IT investment management governance structure.

1. Update the FDIC Capital Investment Policy to outline the CIO Council's responsibilities in the CPIM process.

Concur. The FDIC Capital Investment Policy, approved June 30, 2004, will be reviewed and, as needed, updated at least annually. The policy will be modified by June 30, 2005, to incorporate the role of the CIO Council.

2. Keep more formal records of the Financial Analysis Committee (FAC) meetings and deliberations.

Concur. While the Committee's formal business decisions are documented in a memorandum to the CIRC, management recognizes the need for maintaining formal meeting minutes. Beginning immediately, minutes of all future FAC meetings will be produced outlining relevant discussion points and decisions. While no date has been set for the next FAC meeting, it is expected to occur prior to December 31, 2004.

Strengthen CPIM-related procedures.

Establish CPIM procedures that, at a minimum, should include guidance for –

3. Periodically reviewing and updating (as needed) the existing CIRC project and portfolio selection criteria. This may include evaluating the need for more specific cost, benefit, schedule, and performance criteria.

Partially concur. The Corporation agrees with the intent of the recommendation but believes that the FDIC Capital Investment Policy approved June 30, 2004 provides for periodically reviewing CIRC project and portfolio selection criteria. Specifically, the policy states that the CIRC is responsible for reviewing the policy annually and revising it as needed. This statement is intended to mean that all aspects of the FDIC's capital investment planning program are to be reviewed.

Nevertheless, selection criteria will be moved from the CIRC Charter to the FDIC Capital Investment Policy and reviewed annually as part of the policy review. This action will be completed by June 20, 2005.

4. Specifying requirements for validating quarterly project assessments by independent qualified personnel.

Do not concur. The CIRC believes that current procedures provide for adequate independent validation of quarterly project assessments at multiple levels. Specifically, the FDIC Capital Investment Policy requires project managers to submit a quarterly assessment report to the CIRC and Board of Directors outlining the project's current status. To ensure adequate independence of project assessments, the policy states that responsibility for assessing a project rests with its Executive Sponsor and Executive Steering Committee, not the project manager. Furthermore, the policy establishes the CIRC as the final authority for approving all project assessments. This current process – as documented in the FDIC Capital Investment Policy – provides multiple levels of independent review of all project assessments. Furthermore, its effectiveness is demonstrated by the downgrading by the CIRC of several proposed project assessments submitted over the course of the last year.

The CIRC also issued the Capital Investment Project Assessment System which provides guidance to Executive Sponsors and Executive Steering Committees in assessing their respective projects. This guidance was issued to provide consistency among the assessments of all the projects in the portfolio. As a result, management believes that its existing, documented procedures are sufficient to ensure consistent and independent assessments of all capital investment projects.

5. Periodically reviewing and updating quarterly project and portfolio assessment criteria.

Partially concur. Reviewing and updating quarterly project and portfolio assessment criteria is a routine part of the FDIC's CPIM process. Over the last year, the CIRC's quarterly Capital Investment Report to the Board of Directors has evolved steadily to incorporate a more portfolio oriented summary of the capital investment projects. These reviews and enhancements occur every quarter as part of the report preparation process.

Furthermore, the project assessment criteria are periodically reviewed and modified to reflect knowledge gained by additional experience with the CPIM process. During the first quarter of 2004, formal guidance outlining the assessment criteria was drafted and distributed to project managers for use in preparing their respective first quarter 2004 project assessment reports. This guidance will continue to be reviewed periodically (at least annually) as more experience is gained. The first annual review will occur by June 30, 2005.

Nevertheless, it is recognized that reviewing the guidance and application of the assessment criteria should be done on a regular basis. The to-be-established PMO will review the application of the assessment criteria and recommend changes to the CIRC as needed.

6. Documenting and tracking project performance problems and verifying the completion of necessary corrective actions.

Do Not Concur. All project managers are required to document project performance problems in their quarterly project assessment reports. In addition, any project receiving a rating of "Yellow" or "Red" for any assessment factor is required to develop a plan for returning the project to "Green" and to document this plan in the quarterly report. While the quarterly assessment report is the CIRC's primary tool for tracking project performance, all projects encountering significant problems are also required to promptly discuss these issues at the CIRC meetings. If warranted, a special CIRC meeting will be called. These discussions are documented in the CIRC meeting minutes. CIRC members are able to monitor the progress of corrective actions by reviewing future quarterly reports and through follow-up discussions with project management at future CIRC meetings.

In developing the CPIM process, the CIRC was cognizant of the need to provide effective management oversight of capital investment projects while avoiding micro-managing them. In order to minimize the amount of reporting required of project managers, it was decided that the quarterly assessment report will be the primary vehicle for reporting project information to the CIRC. Given the limited number of projects that make up the capital investment portfolio at any given time, it is believed that the current procedures are sufficient.

Below the CIRC level, the FDIC Capital Investment Policy also requires each capital investment project to establish an Executive Steering Committee. The Executive Steering Committee is charged with monitoring the progress of the project, approving any modifications to the existing plan, and following up on any changes to ensure that the project is completed as intended. These responsibilities are also delineated in the Executive Steering Committee's charter. This multilevel monitoring system allows significant project issues to rise to the level of the CIRC while making the Executive Steering Committee primarily responsible for monitoring any specific corrective actions.

7. Document the CIO Council's oversight process for capital investments in the steady state phase.

Concur. During the next revision of the FDIC Capital Investment Policy, provisions will be incorporated to specify the CIO Council's responsibilities regarding oversight in the steady state phase. This action will be completed by June 30, 2005.

8. Documenting specific capital investment-related information, including information about steady state investments that should be captured and maintained, where it should be stored, the organization responsible for updating the information, and how often it should be updated.

Concur. Responsibility for oversight of investment projects in the steady state phase will rest with the CIO Council and each project's respective division or office sponsor. The Council is currently performing a review of the entire portfolio of IT projects in use by the FDIC in order to identify overlapping systems and potential cost savings. In addition, a new enterprise asset tool will be installed to assist with tracking capital investments in the steady state phase. Specific tracking information will be developed and documented.

9. Documenting the FAC and EAC responsibilities for reviewing PIR results.

Concur. During the next revision to the FDIC Capital Investment Policy, specific responsibilities of the FAC and EAC in relation to the PIR will be incorporated. Current policy requires the next revision to be completed by June 30, 2005.

10. Update PIR procedures to reflect current practices, including use of IRIS to record and track corrective actions identified during the PIR process.

Partially concur. Management agrees that existing PIR procedures require updating to reflect new realities instituted by the CPIM process, the establishment of the PMO, and the introduction of the Rational Unified Process (RUP) software development process. However, at this time, management does not believe that IRIS represents the best tool for tracking PIR findings and recommendations. So while management agrees with the intent of the recommendation, disagreement is centered on the tracking tool specified.

Within the CPIM framework, the PIR is used to identify and document best practices and project management shortcomings that can be applied to other IT development efforts to improve future project results. These lessons learned are best presented to management, including the CIRC, where they can be reviewed and, as appropriate, acted upon. Where appropriate, these recommendations will be reflected in modifications to existing CPIM policies and procedures. Project management recommendations will continue to be disseminated to corporate project managers through periodic best practices meetings – two of which have been held year-to-date.

As some PIRs may not result in corrective actions, management believes it is premature to designate IRIS as the optimal method of capturing, disseminating, and tracking PIR results. To date, no CIRC project has undergone the PIR process. As a result, a final selection of any tracking system(s) has yet to be made. The FDIC Capital Investment Policy requires all capital investment projects to undergo a PIR within six-to-twelve months of completion. The Laptop Replacement Project, which concluded on June 30, 2004, will be the first capital investment project to undergo a PIR. By policy, this review is not required to be completed until June 30, 2005.

Current plans call for the PMO to take the lead in development of policies and procedures relating to the PIR process. Included in this responsibility is the selection of any tool(s) for tracking PIR findings. Management believes additional experience and analysis is required before any tool(s) can be selected.

Create a CPIM plan.

11. Ensure long term CPIM program goals are integrated into Corporate or DIRM planning documents to ensure continued focus on IT investment process improvements.

Concur. Corporate and DIRM objectives will continue to be used to ensure that the CPIM process continues to remain a primary focus of the Corporation. An IT Strategic Plan has been finalized and 2005 Corporate Performance Objectives will again include an objective that FDIC effectively manages capital investment projects. These planning documents will be used to ensure that the CPIM process continues to remain a primary focus of the Corporation. These actions are expected to be completed by December 31, 2004.

	Search | Accessibility | Privacy | Information Quality | Contact Us | Site Map | Home