DATE:	June 9, 2005
MEMORANDUM TO:	Stephen M. Beard
	Deputy Assistant Inspector General for Audits
	Office of Inspector General
FROM:	Arthur J. Murton
	Director, Division of Insurance and Research
SUBJECT:	Response to OIG Draft Report Entitled, Audit of Central Data Repository Project Management (Audit No. 2004-058)

Thank you for the opportunity to review and comment on the subject draft report. In addition to the issues we discussed at our May 12, 2005 exit conference, we are providing our response to the specific recommendations identified in the subject report.

Management’s response:

The report cites three general recommendations for which we have provided a response.

The Inspector General recommends that the Director, Division of Insurance and Research (DIR), require that the CDR project management team maintain current and complete risk management and contingency plans. Specifically:

Recommendation 1: The CDR project management team should promptly determine the cost; schedule, and benefits impact of the change requests, delayed implementation of some functionalities, and secondary options for functionalities. The change requests should be approved in accordance with the CDR change control process. These determinations should be made before the FFIEC accepts delivery of the CDR system.

DIR response to recommendation #1: DIR concurs with this recommendation. The CDR project team has had a robust Change Control Board (CCB) process in place since April 2004. Through this process, the Contractor has been asked to first provide schedule and cost estimates for those Change Requests that are deemed to be critical to complete before initial CDR implementation (scheduled for September 30, 2005). In addition, the CDR Project Manager established a Test Review Board in April 2005 to review new change requests and other issues arising from FFIEC testing of the CDR. The TRB recently completed an evaluation of all outstanding change requests to validate their prioritization ranking and is scheduled to notify the Contractor which Change Requests will be required prior to implementation by June 15, 2005.

After the Contractor has addressed all issues (both defects and Change Requests) that must be completed to enable system implementation, they will be directed to provide cost and schedule information for those Change Requests that do not compromise baseline Call Report processing and therefore can be addressed after system implementation. We believe this approach is appropriate given the nature of the project schedule and the desire to not divert resources away from meeting the current implementation date. (It should also be noted that the contract does not currently require the Contractor to provide schedule and cost estimates on all outstanding change requests prior to system implementation).

To continue to ensure that Change Requests with cost or schedule impact are addressed in formal modifications to the Contract, the updated Change Request policy incorporates specific roles for both the Contracting Officer and the Oversight Manager. The FDIC will hold the Contractor responsible for executing Change Requests that the CCB determines are within the scope of the Contract at no additional cost. In cases where completion of a Change Request is postponed until after the September 30, 2005 implementation, the Contracting Officer will likely conditionally accept the CDR and, in conjunction with that conditional acceptance, withhold a portion of the payment on the final deliverable if the Change Request is within the original contract scope. Any deferment of functionality past initial implementation will be formalized in a contract modification. Also, Change Requests that require FFIEC payments above the firm fixed price will be formalized in a contract modification and will be subject to the approval processes both within the FDIC and at the FFIEC.

In Modification Nine to the contract, both parties agreed to extend the implementation date of the CDR and the option period for exercising specified secondary functionality for one additional year. As a result, the FFIEC will have until March 31, 2006 to exercise any desired secondary options. Prior to exercising any secondary option, the FFIEC will consider all appropriate information, including performance of the Contractor, changing priorities within the FFIEC and alternative approaches for achieving the results envisioned by the secondary options that were not available at the time the original contract was executed.

Recommendation 2: The risk management plan should be updated to address the CDR system post-delivery requirements and functionalities.

DIR response to recommendation #2: DIR concurs with this recommendation. The CDR project team will continue to evaluate the impact of deferring implementation of functionality until after September 30, 2005 during the monthly risk management review. This action will be completed by September 15, 2005.

Risks are assessed on a monthly basis consistent with the FFIEC Risk Management Plan. Risk status reports are presented to the Steering Committee monthly and the risks and mitigation plans are assessed regularly at the bi-weekly project management meetings. The FFIEC Risk Management Plan identifies 23 risks to the project and issues related to functionality that will be implemented after September 30, 2005 will be reported and evaluated in one or more of those existing 23 risks. To fully monitor this issue and identify any associated risks, the FFIEC Risk Manager will be briefed on the cost and schedule impacts of all Change Requests that are accepted. This will be an on-going process through September 15, 2005.

Recommendation 3: The contingency plan should be updated and approved by the CDR Steering Committee to reflect the revised project schedule, including the post-delivery requirements and secondary options. The plan should also address available alternatives, including project termination, if the September 30, 2005 CDR system delivery date cannot be met.

DIR response to recommendation #3: DIR concurs with this recommendation. The CDR project team will update the “Call Reporting Modernization Implementation Contingency Plan” to reflect the revised project schedule, and will identify contingency plans that address functionality to be implemented after September 30, 2005 in the “Risk Mitigation Plan” that is updated on a monthly basis. The “Call Reporting Modernization Implementation Contingency Plan” will be updated and presented to the CDR Steering Committee for review and approval at their June 16, 2005 meeting. Each of these documents will address any available alternatives being considered if risks rise to an unacceptable level in any risk category.

We appreciate your feedback on this project and the opportunity to respond to this draft report. Should you have additional questions or concerns, please feel free to contact Maureen Sweeney or Martin Henning.