Project Management Framework for the
Asset Servicing Technology Enhancement Project

December 2005
Report No. 06-004

AUDIT REPORT

FDIC OIG, Office of Audits

Background and
Purpose of Audit


One of the FDIC’s critical functions is to manage and liquidate all assets of failed financial institutions. The Corporation’s existing asset servicing environment comprises a complex system of external, interim, and internal (in-house) servicing capabilities. The in-house technology consists of aging and highly customized commercial off-the-shelf software and internally developed applications that fulfill specific business functions. The purpose of the Asset Servicing Technology Enhancement Project (ASTEP) is to modernize the asset servicing function and align the processes performed under this function with industry best practices. ASTEP will allow the FDIC to maximize the use of commercially available software products to integrate as much of the asset servicing function as possible and to provide the FDIC with a variety of vendor sourcing options.

The objective of the audit was to determine whether the FDIC has established an adequate project management control framework for ensuring the delivery of ASTEP in a timely and cost-effective manner to meet corporate requirements and user needs. The report was prepared by KPMG LLP under a contract with the Office of Inspector General (OIG) to provide professional audit services.

FDIC, Federal Deposit Insurance Corporation


Results of Audit


The ASTEP project management team developed planning documents and implemented various activities that generally complied with the FDIC’s project management guidance and that the project team considered commensurate with the status of the project. During the initiation phase of ASTEP, the project management team performed business case analyses to identify benefits and improvements to the current system of asset servicing and developed a project work plan identifying activities to complete associated milestones. During the planning phase for system development, the project team also developed project charters that defined the goals and objectives for various project teams’ functions and a project governance structure that described support functions to manage system development activities. Additionally, the project team developed acquisition strategy, communications, risk management, and configuration management plans.

As ASTEP enters into the execution phase for system development and is re baselined, the project team needs to further strengthen its planning documents and management control processes to take into account the additional information obtained during the earlier project phases and to be commensurate with the additional risk associated with latter project phases. Strengthening the project management controls will facilitate decision making and monitoring and help ensure that ASTEP meets the needs of its users within schedule and budget requirements.

Recommendations and Management Response

KPMG recommended that as part of project re-baselining efforts, the FDIC:

  • fully document the costs and benefits of the ASTEP solution selected, and
  • enhance the ASTEP planning process to address the areas of improvement discussed in the report to achieve greater compliance with the FDIC Project Management Guide and to provide greater assurance of ASTEP success.

Management agreed with the recommendations and has either initiated or plans to initiate corrective actions.

ASTEP Project Vision and Objectives, triangle
Source: ASTEP Current State Assessment Report, December 7, 2004. [ D ]


FDIC OIG letterhead

DATE: December 16, 2005

MEMORANDUM TO: Mitchell L. Glassman
Division of Resolutions and Receiverships

FROM: Russell A. Rau [Electronically produced version; original signed by Stephen M. Beard]
Assistant Inspector General for Audits

SUBJECT: Project Management Framework for the Asset Servicing
Technology Enhancement Project
(Report No. 06-004)

Enclosed is a copy of the subject report prepared by KPMG LLP under a contract with the Office of Inspector General. Please refer to the Executive Summary for the overall audit results. The firm’s report is presented as Part I of this document.

A summary and evaluation of your response, the response in its entirety, and the status of the recommendations are contained in Part II of this report. The response adequately addressed the recommendations in the report. We consider the recommendations to be resolved, but they will remain open until we have determined that agreed-to-corrective actions have been completed and are effective.

If you have any questions concerning the report, please contact Stephen M. Beard, Deputy Assistant Inspector General for Audits, at (202) 416-4217, or Ben Hsiao, Associate Director, Systems Management and Systems Security Directorate, at (202) 416-2117. We appreciate the courtesies extended to the audit staff.

Attachment

cc:Steven Trout, DRR
 Rack Campbell, DIT


TABLE OF CONTENTS

Part I:
Report by KPMG LLP
Project Management Framework for the Asset Servicing Technology Enhancement
Project
Part II:
Corporation Comments and OIG Evaluation
Corporation Comments


Part I

Report by KPMG LLP



Project Management Framework for the
Asset Servicing Technology Enhancement Project (ASTEP)

 

Prepared for the
Federal Deposit Insurance Corporation
Office of Inspector General

 
 
FDIC logo
 
 
Prepared:
KPMG LLP
Risk Advisory Services – Federal Practice
2001 M Street, NW
Washington, DC 20036
(202) 533-3000


TABLE OF CONTENTS

EXECUTIVE SUMMARY
Results of Audit
Recommendations
BACKGROUND
DETAILED FINDINGS
FINDING 1: Cost-Benefit Analysis
FINDING 2: Improvements in Project Planning
APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY
APPENDIX B: FDIC PROJECT MANAGEMENT FRAMEWORK
APPENDIX C: PMBOK® GUIDE OVERVIEW
APPENDIX D: ACRONYMS
TABLES
Table 1:  Summary of Findings
Table 2:  ASTEP CBA – Return on Investment Study
Table 3:  Mapping of PMBOK® Guide Knowledge Areas to Management Processes
FIGURES
Figure 1: ASTEP Project Vision and Objectives
Figure 2: FDIC Project Management Life Cycle


EXECUTIVE SUMMARY

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) contracted with KPMG LLP (KPMG) to provide professional audit services. KPMG was tasked under the contract to audit and report on the effectiveness of the project management framework for the FDIC’s Asset Servicing Technology Enhancement Project (ASTEP).

The objective of the audit was to determine whether the FDIC has established an adequate control framework for ensuring the delivery of ASTEP in a timely and cost-effective manner to meet corporate requirements and user needs. The audit addressed key elements associated with effective project management such as documenting the project scope, tasks, schedules, allocation of resources, performance measurements, and inter-relationships with other projects. Project management activities cover the full spectrum of a project; from procurement and contract management to managing team and project performance; from risk management to communications; and from controlling scope “creep” to ensuring quality control. A detailed discussion of the audit objective, scope, and methodology is provided in Appendix A of this report.

In evaluating the effectiveness of project management practices for ASTEP, KPMG relied on the FDIC’s Project Management Governance policy and the FDIC Project Management Guide; both were issued in September 2004. The governance policy identifies key governance authorities[ 1 ] over projects and defines project management policy and oversight standards applicable to all projects at the FDIC. The policy states that all projects shall conform to minimum standards and procedures of an FDIC project management methodology as described in the FDIC Project Management Guide.[ 2 ]  The governance policy also provides oversight, funding, training, and reporting requirements applicable to effective management of FDIC projects. The FDIC Project Management Guide establishes a project management framework to provide project managers with repeatable and sustainable guidelines to ensure projects are well coordinated, thoroughly planned, properly executed, and closed out in accordance with managed and disciplined processes. The guide also includes templates and checklists that are intended to help project managers effectively and efficiently implement FDIC projects. The use of the techniques and forms in the guide is highly encouraged but is not mandatory. For further details on the project management framework, see Appendix B.

KPMG conducted its work from March 11, 2005 through July 29, 2005 in accordance with generally accepted government auditing standards.

Results of Audit

The ASTEP project management team developed planning documents and implemented various activities that generally complied with the FDIC’s project management guidance and that the project team considered commensurate with the status of the project.

As ASTEP enters into the execution phase of system development (execution phase) and is re-baselined, the project team needs to further strengthen its planning documents and management control processes to take into account the additional information obtained during the earlier project phases and to be commensurate with the additional risk associated with latter project phases. Strengthening the project management controls will facilitate decision making and monitoring and help ensure that ASTEP meets the needs of its users within schedule and budget requirements. Table 1 provides a summary of KPMG’s findings and areas in which project planning could be strengthened.

Table 1: Summary of Findings
Element of Project Planning Description Assessment
Summary of Status Areas That Could Be Strengthened
Business Needs To justify how the project will meet needs.
  • Business case analysis was performed.
  • Benefits and process improvements were identified.
  • Cost and benefit estimates for the ASTEP solution should fully describe how estimates are derived.
Description, Goals, and Objectives To provide an understanding of the program nature of the project.
  • Adequate descriptions were provided.
  • Goals and objectives for various project teams/functions were identified.
  • Not applicable.
Organization, Roles, and Responsibilities The organization, staff, roles, and responsibilities involved in project development.
  • Project team members were identified.
  • Roles and responsibilities were fully defined for executive sponsor and project manager only.
  • Roles and responsibilities addressing inter-relationships and integration of responsibilities across charters should be defined.
Work Breakdown Structure (WBS) The supporting detail to plan, organize, and control work performed.
  • ASTEP governance handbook requires a WBS.
  • Work products were defined as deliverables.
  • In the WBS, relationships between major activities, tasks, and deliverables should be defined with supporting detail to plan, organize, and control work performed.
Project Schedule The task, duration, resource availability, milestones, and constraints.
  • ASTEP governance handbook provides guidance on developing a project schedule.
  • A project schedule should be established that is accurate, complete, and at a level of detail sufficient for project management.
  • Tasks/milestones critical to project success need to be identified and highlighted for monitoring purposes.
  • Staff and capital resource availability should be addressed.
Resource/Cost Estimate The resource estimate for each WBS element by resource category (e.g., capital, fiscal, personnel, and time).
  • The contractor was identifying staff resources for each activity.
  • Resources should be budgeted based on the activities in the WBS and actual costs should be tracked in relation to the budgets.
  • FDIC staff resource requirements, including costs, should be fully defined.
  • The type of resource should be defined (e.g., capital resources such as office space, supplies, information technology (IT) equipment, and other materials for the ASTEP development, test, and production environment).
Acquisition Plan The processes for acquiring needed resources.
  • ASTEP Acquisition Strategy was defined.
  • Not applicable.
Project Controls To monitor project scope, schedule, and cost performance. To identify variances from planned objectives. To take corrective actions.
  • Weekly meetings and bi-weekly status reports monitor project progress.
  •     - Contractor was providing bi-weekly status reports on schedule and revisions, issues, and risks.
  • Executive sponsors were briefed monthly.
  • A formal process at the project level should be established to evaluate variances and, if needed, to initiate corrective actions to control variances in schedule, cost, scope, resources, and quality.
  • A master project plan should be used to monitor and control progress.
  • ASTEP-specific contract oversight procedures should be formally addressed.
  • An overall project performance measurement plan should be established.
  • Project issue logs should be consistently used to assess impact on schedule and budget.
Change Management To manage changes in scope, schedule, outputs and deliverables.
  • Change management process was defined for managing all ASTEP system requirements.
  • Configuration Control Board (CCB) was established to review and approve changes proposed.
  • The project baseline should be included as a configuration item subject to change management control.
Risk Management To identify, assess, and manage project risks.
  • Risk Assessment Questionnaire was completed to address likelihood of occurrence (qualitative).
  • Risk database/log was provided.
  • Risks were reviewed in monthly meetings (high risks are identified in status reports to executive sponsors).
  • The risk management plan should be finalized.
  • The current risk management process should be fully defined in a risk management plan.
  • Detailed risk mitigation plans should be developed.
  • Issues in contractor status reports should be addressed in accordance with FDIC project management guidelines.
Communications Management To detail communication initiatives.
  • Established communication plan was generally compliant with the PMBOK® Guide.
  • Stakeholder information needs were defined.
  • Communication activities for ASTEP Oversight Managers and Technical Monitors should be clarified.
Source: FDIC Project Management and Governance Guides and ASTEP Project Planning Documentation.


BACKGROUND

One of the critical functions for the FDIC is to manage and liquidate all assets of failed financial institutions. The FDIC’s existing asset servicing environment is composed of a complex system of external, interim, and internal (in-house) servicing capabilities. The in-house technology consists of aging and highly customized commercial off-the-shelf (COTS) software and internally developed applications that fulfill specific business functions. The FDIC uses 13 major asset servicing systems supported by a number of minor applications, automated utilities, and contracted services.

The purpose of ASTEP is to modernize the asset servicing function at the FDIC and align the processes performed under this function with industry best practices. ASTEP will allow the FDIC to maximize the use of commercially available software products to integrate as much of the asset servicing function as possible. ASTEP will also allow the FDIC to use a variety of vendor-sourcing options. Figure 1 illustrates ASTEP project vision and objectives.

The FDIC established ASTEP on October 7, 2003, and the FDIC Board of Directors approved $31.8 million[ 3 ] for ASTEP development. Prior to Board approval of ASTEP, a cost-benefit analysis was performed that considered four options:

  • Status Quo – No change (this was not considered by DRR as a viable option);
  • Enhanced Status Quo – Enhance National Processing System (NPS),[ 4 ] as the system for servicing receivership loans, to be compatible with an upgraded operating system;
  • NPS Replacement – Replace NPS with a COTS product that is hosted by a contractor application service provider (ASP); and
  • “Best of Breed” – Replace NPS with a COTS product that is hosted by an ASP. Also, integrate asset servicing business processes applications and databases through the use of middleware technology[ 5 ] and data warehousing with data transformation and workflow capabilities to achieve a common source of data and to maximize sharing of updates across the organization.
Figure 1, ASTEP Project Vision and Objectives, triangle
 [ D ]

DRR selected the “Best of Breed” solution, which consists of key IT components that will facilitate achieving the following:

  • replacement of NPS with an industry standard asset servicing loan accounting system that is hosted by an ASP for managing loan assets acquired from failed banks and financial institutions;
  • implementation of middleware technology to integrate applications and databases and standardize data flows between FDIC contract servicers and interim servicers (banks);
  • security protocols that will authenticate and facilitate secure data transmission from external data sources and will support single sign-on for users; and
  • implementation of a data warehouse to provide a timelier asset data and enterprise portal in handling ASTEP reporting requirements.

The FDIC’s expectations are that this approach will apply industry’s best practices in streamlining the asset servicing process, which will also involve extensive re-engineering of the asset servicing business process cycles related to managing and servicing an asset from acquisition by the FDIC to asset disposition.

The FDIC has contracted with three vendors to (1) provide project management advisory support, (2) replace NPS with a COTS Loan and Customer Information System managed by an ASP, and (3) develop the designated requirements and system design for the remaining ASTEP solution, and implement the solution. Key activities performed to date include: replacing NPS with the ASP, Metavante Corporation, in March 2005 (the first significant aspect of the ASTEP implementation); completing a requirements analysis in June 2005; and completing the system design in August 2005.

Originally, ASTEP system deployment was to occur by March 2005. However, the project has experienced delays. The project management team indicated that the delays were due to unforeseen circumstances that were not under its control, such as delays in obtaining contract authority; procuring the services of the three vendors; acquiring and piloting a new middleware software product (Websphere, which incurred a 9-month delay); and changing the procurement approach from task assignments to task orders. The project management team also indicated that further delays occurred because of organizational changes that limited availability of the staff to work with the contractor responsible for performing ASTEP requirements and design activities.

In September 2005, the ASTEP project management team began updating the cost and benefit estimates on the current ASTEP “Best of Breed” solution based on detailed information obtained from performing requirements analysis and design specification activities. The process of updating the estimates is part of the project management team’s efforts to re-baseline the project because the original deployment goals and objectives are no longer achievable within the original timeframe. According to ASTEP management officials, their more complete understanding of system requirements and design specifications will enable them to more accurately determine the costs and benefits of the project. This, in turn, will enable the ASTEP project management team to develop a more accurate, relevant, and reliable revised project plan.

Project Management Principles Applicable to ASTEP

In September 2004, the FDIC issued its Project Management Governance policy to identify key governance authorities over projects and to define project management policy and oversight standards applicable to all projects at the FDIC. The policy states that all projects shall conform to minimum standards and procedures as defined in the FDIC Project Management Guide also issued in September 2004. The guide establishes a project management framework to provide project managers with repeatable and sustainable guidelines to ensure that projects are well coordinated, thoroughly planned, properly executed, and closed out in accordance with managed and disciplined processes (see Appendix B).

ASTEP Management Structure

The ASTEP project management team consists of a group of Executive Sponsors from DRR, DIT, Division of Administration (DOA), and Division of Finance (DOF); a senior management official from DRR who serves as the principal executive sponsor; a DRR and DIT Project Manager; and project core team members from DRR, DIT, and DOF. The DRR Project Manager’s duties include orchestrating executive sponsor meetings; managing resources; resolving business issues; providing oversight; managing one of the ASTEP contractors (BearingPoint); and reviewing deliverables, invoices, and task orders. The DIT Project Manager is the oversight manager for the Deloitte Consulting LLP contract responsible for reviewing deliverables, invoices, and task orders. The core team members provide various services to ASTEP related to administration and technical project management oversight, including monitoring the contractor and serving as coordinators with end users and other projects with an interest in ASTEP. Additionally, the ASTEP project management team has established a user group that will assist in validating business process and data models, developing reports, testing the system as its is developed, and acting as an intermediary with the ASTEP staff to address questions or issues regarding the project.

DETAILED FINDINGS

The project management team for ASTEP has applied several of the principles promulgated in the FDIC Project Management Guide. During the initiation phase of the project, the ASTEP project management team performed business case analyses to identify benefits and improvements that can be made to the current system, including developing a conceptual model for planning and executing the project; identifying positive and negative impacts of the project on stakeholders; and developing initial estimates for the return on investment. The ASTEP project management team developed project charters that define the goals, objectives, and descriptions of various project functions to be performed, including the identification of key team members. A risk analysis was completed prior to project commencement to identify issues that could negatively impact the project. At the start of systems development life-cycle activities, the project management team developed a governance structure and a schedule-based project plan that describes various functions to manage ASTEP analysis and design activities. During that period, the project management team also developed an integrated acquisition strategy, as well as communications, risk management, and configuration plans.

As ASTEP enters into the execution phase and is re-baselined, the FDIC needs to strengthen its project management control framework through completion of the ASTEP master project plan. Specifically, the FDIC needs to more fully describe the methods used in deriving the costs and benefits associated with the ASTEP solution and improve various elements of project planning to achieve greater compliance with the FDIC’s project management guidance and to provide greater assurance of ASTEP success. If these issues are not fully addressed, the FDIC may lack sufficient information to make informed decisions regarding project development activities that may impact the success of the project. Details of these findings are addressed below.

Finding 1: Cost-Benefit Analysis

Condition:
The ASTEP Cost-Benefit Analysis (CBA) generally stated that the ASTEP project management team received information from a variety of sources for use in determining quantifiable costs of the options. The information included (1) 2003 budget estimates and rates that served as the basis for estimating the future cost of operations, maintenance, and new development and (2) other cost estimates provided by companies offering services to the FDIC based on either hourly rates or costs that were offered on a per-function or per-transaction basis or that were based on formulas such as a percentage of loan volumes or loans processed.

The CBA report did not link the estimated cost items to their sources and fully describe methods, assumptions, and rationales for determining life-cycle costs and benefits for the options reviewed. Specifically, for the budget category line items in areas such as new development and maintenance, KPMG noted that cost breakdowns for the options reviewed often did not describe how estimates had been derived. For example, many line items listed the number of FDIC employees (full-time equivalents) or contractors needed but did not justify the activities planned to be performed or work products to be completed. In other instances, only partial explanations were provided.

Similarly, KPMG found that estimates for the benefits associated with the “Best of Breed” option were not fully explained. Moreover, the CBA report indicated material quantifiable benefits realized only for the “Best of Breed” option, which was the only option that addressed all aspects of the asset servicing business process cycles. The CBA report stated that the Enhanced Status Quo and NPS Replacement options addressed only business functionality and did not significantly improve the FDIC’s current or future business environment. Consequently, only the “Best of Breed” option, as shown in Table 2, contains a present value of accumulated benefits. In addition, the “Best of Breed” option was partially based on vendor-specific products, such as the use of NFE PeopleSoft Web portal and data warehouse products, and did not include a general requirements review to determine the viability of these specific products to ASTEP applications. In March 2005, the ASTEP project management team reported that the NFE PeopleSoft portal and data warehouse could not interface with ASTEP applications. Therefore, additional costs may be incurred in developing an ASTEP portal and data warehouse, which would negatively impact the CBA.

Table 2: ASTEP CBA – Return on Investment Study
 

Options
(Amounts in Thousands)

 

Status Quo

Enhanced Status Quo

NPS Replacement

Best of Breed

Total Present Value (PV) Accumulated Benefit $0 $0 $0 $11,965
Total PV Accumulated New Development Costs $0 $20,383 $20,857 $26,092
Total PV of Total Operations and Maintenance Costs $25,326 $30,734 $32,177 $28,617
Return on Investment N/A -127% -133% -67%
Source: FDIC ASTEP Business Case and Value Analysis Executive Summary, August 15, 2003.

Cause:
The ASTEP project management team indicated that it did not have sufficient resources or information to complete a more detailed evaluation that included an in-depth requirements analysis and specifications of work products for the three alternative options reviewed.

The contractor for ASTEP development has recently developed system requirements and design specifications for the “Best of Breed” option chosen as the ASTEP solution. The completion of the system requirements and design will provide the information needed for the ASTEP project management team to more accurately estimate the costs and benefits of implementing the “Best of Breed” option as the project enters the execution phase.

Criteria:
There are several criteria related to cost-benefit analysis. The FDIC Capital Investment Policy, issued on April 11, 2005, calls for a clear and complete CBA to ensure a well-informed decision regarding capital investments such as ASTEP.

FDIC Circular 4310.1, Utilizing Cost Benefit Analysis Methodology for the Purchase or Development of Capital Assets, dated July 17, 1998, and Office of Management and Budget (OMB) Circular No. A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs, state that CBAs should be performed to promote efficient resource allocation through well-informed decision making. The analysis should be explicit about underlying assumptions used to arrive at estimates of future benefits and costs. The analysis should include a statement of the rationale behind the assumptions and a review of their strengths and weaknesses. Key data and results should be reported to promote independent analysis and review.

Effect:
A more detailed evaluation of costs and benefits would have provided the team with a more comprehensive CBA and with resource requirements estimates of activities or work products. The initial CBA did not contain sufficient information to fully describe budget category items’ costs and benefits for the options that were considered.

Because the system requirements and design specifications have been developed, it is important that the ASTEP project management team accurately estimate the costs and benefits of the “Best of Breed” option as the project enters the execution phase. Otherwise, the lack of accurate estimates of costs and benefits will hinder management decision making and evaluations of project performance.

Recommendation:

  1. KPMG recommends that DRR, in coordination with DIT, fully document costs and benefits in updating the ASTEP solution through current re-baselining efforts, including addressing key activities associated with specified costs. This analysis should include the lower level of detail available from contractor-developed costs in deriving key system requirements and design specifications that address the ASTEP strategies identified by project sponsors.

Finding 2: Improvements in Project Planning

Condition:
KPMG found that the ASTEP project management team has developed planning documents and implemented various activities that generally complied with the FDIC’s project management guidance. However, the project team did not develop a project plan that fully complies with the FDIC project-planning template provided in the FDIC Project Management Guide. Improvements to various elements of project planning will achieve greater compliance with the guide and provide greater assurance of ASTEP success as the project enters the execution phase. Strengthening project planning will also facilitate decision making and progress monitoring and helps ensure that ASTEP meets the needs of its users within schedule and budget requirements. Specific areas needing improvements are discussed below.

Organization Roles and Responsibilities
The ASTEP governance handbook states that the ASTEP team and its subteams should define their respective specific goals and responsibilities in project planning charters. KPMG’s review of planning charters found that goals were specifically stated, but roles and responsibilities addressing inter-relationships and integration of responsibilities across project charters were not defined. This may impact the effectiveness of activities performed or desired outcomes described in project charters for key areas such as ASP conversion, business process improvement, change management, data and reporting, systems and technology, and training.

Work Breakdown Structure
The project Work Breakdown Structure does not adequately define and provide sufficient supporting details for relationships between major activities and tasks to plan, organize, and control the scope of work performed. For example, the WBS does not contain sufficient detail in addressing tasks associated with defining ASTEP business process flows and developing detailed system requirements and design specifications related to these business process flows.

Project Schedule
The master project plan does not accurately capture the estimated and actual project start and end dates. Also, the project schedule, as the principal component of the master project work plan, is not accurate and complete. KPMG noted many development activities that were not accurately conveyed on the master project plan when compared to the contractor’s schedule, such as the stated timelines for developing ASTEP design specifications and performing critical design review activities. KPMG also noted that the master project plan does not contain a deployment date or dates for several systems development activities that are critical to project success, such as testing and data conversion; subprojects are inaccurately merged into the master plan; and resource availability issues are not addressed.

Resource/Cost Estimate
The ASTEP project management team has not developed a cost allocation plan to show the breakdown of the $31.8 million budget approved by the FDIC Board of Directors for ASTEP. Without a plan that shows a breakdown of costs for performing systems development activities, the ability of the project management team to manage and control resources for future project activities may be impaired. Further, internal FDIC staff resource requirements, including costs, have not been defined, and resource allocations for project tasks are focused on personnel resources only and do not address other type of resources, such as office space, supplies, IT equipment, and other materials for ASTEP development, testing, and production environments.

Project Controls
The project management team has not established a formal process to evaluate variances and, if needed, initiate corrective actions to control variances in schedule, cost, scope, resources, and quality. Beyond status meetings and biweekly status reports, there are no specific formal processes to provide updates to the project plan and no formal controls to assess variances. Additionally, the process for ASTEP oversight and technical monitors to assess contractor performance activities has not been formally defined.

Another area of concern is that a master project performance measurement plan has not been formalized to identify both qualitative and quantitative measures. Such measures determine whether the execution of project activities is producing the desired effects in assessing project success. The plan would align these measures with critical success factors defined at the onset of the project, such as managing assets with external contractors; leveraging NFE technology; having an in-house asset servicing capability; establishing the ability for users to access and view asset data on both externally and internally managed assets; accommodating changes in FDIC business processes; and applying an effective and highly efficient systems integration solution between disparate data and applications.

The ASTEP project management team addresses these issues in a limited manner through contractor status reports and user survey questionnaires taken upon completion of major milestones. Also, the project management team tasked its systems development contractor to define four high-level performance metrics related to cost, schedule, “goodness” of requirements, and “goodness” of design. However, these efforts do not fully represent a formal master project performance measurement plan that is linked to critical success factors and includes specific methodologies to calculate and evaluate the results.

Change Management
The project management team has developed a configuration management plan and a change control process. The plan describes the infrastructure and processes used to manage and control changes to ASTEP deliverables and other important project-related work products. The plan addresses the initial needs of ASTEP, which include the startup of a CCB and change management processes for managing all ASTEP system requirements, including changes, and assuring that the results conform to requirements.

However, the project baseline plan is not included as an item subject to change management control. Establishing a baseline for the project plan under a change management process would provide the ASTEP project management team more effective control over the project if it diverges from the plan. If a corrective action requires a change to the project baseline, the action should be submitted to and reviewed through the change management process that includes CCB approval. Such a process is used to establish, analyze, communicate, and record approved changes to the project baseline.

Risk Management
The current risk management process is not fully defined in the risk management plan, and detailed risk mitigation plans prescribed in the plan have not been developed. Additionally, issues and risks in contractor activity reports and deliverables were often not addressed in ASTEP project management risk and issue logs or reports. For example, in reviewing a status report issued on July 15, 2005, KPMG noted that risk issues related to poor scope definition, timely access to staff and third-party vendors, and integration with ASP and other COTS technologies had not been addressed in formal project management risk logs. Therefore, KPMG could not determine the status of these issues and risk areas. The ASTEP project management team started using issue logs in July 2005, but the logs do not assess impact on schedule and budget in accordance with FDIC project management guidelines.

Communications Plan
On November 5, 2004, the ASTEP project management team issued a communications plan that addressed, by stakeholder, the communications and events planned in order to successfully implement ASTEP. However, an ASTEP risk assessment summary report indicated that there is a lack of defined communication responsibilities for ASTEP Oversight Managers (OMs) and Technical Monitors (TMs). These responsibilities, as required by the FDIC Acquisition Policy Manual,[ 6 ] would include specific guidelines on communicating with the contractor on the performance of key requirements development activities, including modifications to requirements; communicating with the FDIC Contracting Officer in the development and implementation of an oversight monitoring plan to assist in the performance of oversight activities for complex services contracts; and communicating with TMs in delegating performance monitoring responsibilities. Communication responsibilities of OMs and TMs need to be clearly defined because the level of contractor activity is expected to increase as ASTEP enters into the execution phase.

Cause:
According to the ASTEP project management team, initial project plan development and maintenance has not been emphasized. Instead, the team placed reliance on contractor task orders and planning schedules to manage the project, which do not take into account overall ASTEP project performance and management responsibilities. Additionally, to define a project scope or WBS in managing and controlling specific project activities, the project management team stressed that it needed the finalized requirements analysis and completed detail designs. The project management team advised us that the WBS will be refined as the project progresses through system development activities.

Criteria:
The FDIC Project Governance Guide states that all FDIC projects are required to complete and follow all aspects of the FDIC project management methodology described in the guide. This includes elements of project planning in documenting project scope, tasks, schedules, allocation of resources, performance measurements, and inter-relationships with other projects. The project planning activities should cover the full spectrum of a project – from procurement and contract management to team and project performance management; from risk management to communications management; and from controlling scope “creep” to ensuring quality control. Additionally, the FDIC Project Management Guide emphasizes the creation and use of WBS and performance measures for project planning. The WBS is the driver for project schedule and project budget (e.g., resources, material, equipments, and contractors). The guide states that, upon completion of the initiation phase, a WBS should be developed to plan, organize, and control work performed in managing FDIC projects.

Performance measures determine whether the execution of the tasks is producing the desired effects. Performance measures should be developed for lagging indicators of a project’s past success or failure (such as the percentage of the budget spent or the percentage of deliverables submitted on time). Project managers should also develop leading (predictive) measures that prompt or support project execution decisions and can positively influence future success.

Effect:
Without effective management control and visibility into the activities occurring in ASTEP, the project management team may lack sufficient detail to ensure that the project is successfully executed and managed and that its status is communicated to stakeholders in a timely fashion. Further, the development of comprehensive project planning documents is needed for the project management team to make informed decisions in moving forward with project system development and deployment activities.

Recommendation:

  1. As part of the current project re-baselining effort, KPMG recommends that DRR, in coordination with DIT, enhance the ASTEP planning process by addressing areas needing improvement, as discussed in this report, to achieve greater compliance with the FDIC Project Management Guide and to provide greater assurance of ASTEP success, including:

  • Defining inter-relationships and integration of responsibilities across project charters.
  • Defining the contractor oversight process in relation to ASTEP OM and TM roles, responsibilities, and communication activities.
  • Developing an accurate and complete master project plan baseline, under configuration management control, that defines all major ASTEP activities, including integrating contractor subteam plans into the master project plan; defines project and performance measures to measure project success; identifies the scope of work for major activities defined in the plan through a WBS; and discloses fully the cost estimates for all resource categories.
  • Establishing formal project controls to evaluate variances and, if needed, to initiate corrective actions for schedule, cost, scope, and quality variances.
  • Updating and clarifying current risk assessment procedures and practices in the ASTEP risk management plan and finalizing the plan.
  • Developing risk mitigation plans for high priority-risks as required by the ASTEP risk management plan and ensuring that issues and risks are addressed in either the risk or the issue logs in accordance with the FDIC’s project management guidelines.



APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY

Objective

The objective of the audit was to determine whether the FDIC has established an adequate control framework for ensuring the delivery of ASTEP in a timely and cost-effective manner to meet corporate requirements and user needs. KPMG conducted its audit work in Washington, D.C., and Dallas, Texas, from March 11, 2005 through July 29, 2005 in accordance with generally accepted government auditing standards.

Scope

The scope of coverage focused on evaluating the adequacy and effectiveness of key project management planning activities, which included the following:

  • Business needs, project goals, and objectives are well defined.
  • The project team structure is defined, and roles and responsibilities are documented.
  • The plan is developed in sufficient detail, including work products and tasks, resources assigned, milestones, and constraints.
  • Resource and cost budgeting is established for the WBS.
  • An acquisition plan defines processes for acquiring and managing resource requirements to ensure resource availabilities.
  • Project control processes are implemented to monitor project scope, and measurements are in place for comparing actual work product and task attributes, effort, cost, and schedule to the plan at prescribed milestones or control levels within the project schedule or WBS. This includes determining whether controls enable timely corrective action to be taken when performance deviates significantly from the plan.
  • Change control management is in place to manage changes in scope, schedule, outputs, and deliverables.
  • The risk management process is documented and applied in identifying, assessing, and efficiently managing project risks.
  • A communications management plan identifies information recipients, their needs, and detailed communication methods and frequencies.

Methodology

KPMG evaluated the project management control framework for ASTEP according to the FDIC’s Project Management Governance policy and the FDIC Project Management Guide, which defines the FDIC’s project management methodology that all FDIC projects are required to implement. The FDIC’s guide is based on the PMBOK® Guide, which is recognized as a commercial and public sector “best practice.”

In assessing compliance with the FDIC Project Management Guide, KPMG performed the following:

  • Conducted interviews with DRR and DIT officials who are responsible for managing and implementing ASTEP to ascertain their understanding of the FDIC’s project management methodology.
  • Conducted interviews with ASTEP stakeholders from DRR, DIT, and DOF in Washington, D.C., and Dallas, Texas, to determine their understanding of their roles and responsibilities and degree of involvement in system development activities.
  • Conducted interviews with contractor management officials tasked to develop the ASTEP system to ascertain project management requirements established in accordance with the direction of the ASTEP project management team.
  • Conducted interviews with contractor management officials responsible for providing project management advisory support to the ASTEP project management team to ascertain the support provided and the officials’ understanding of the project management control framework for ASTEP.
  • Reviewed key system development documents in obtaining background information on ASTEP.
  • Identified applicable FDIC policies and procedures related to project management.
  • Obtained and reviewed project documents relevant to project management procedures and activities.
  • Reviewed contract deliverables related to ASTEP systems development and advisory support provided to the ASTEP project management team.
  • Obtained and reviewed ASTEP contractors’ task orders and requests for proposals.




APPENDIX B: FDIC PROJECT MANAGEMENT FRAMEWORK

In September 2004, the FDIC issued its Project Management Governance policy to promote more effective management control in reducing project, business, and technical risks. The policy identifies key governance authorities over projects and defines project management policy and oversight standards applicable to all projects at the FDIC. This includes adhering to minimum standards and procedures as defined in the FDIC Project Management Guide, which was also issued in September 2004. The guide is based on the PMBOK® Guide, which is recognized as a commercial and public sector “best practice.”

The FDIC Project Management Guide provides the FDIC with a project management framework. As shown in Figure 2, the framework consists of five phases in a project’s life cycle. Each project phase normally includes a set of defined deliverables designed to establish the desired level of management control. Completing each phase provides the project managers with the knowledge, tools, and expertise to be successful in subsequent phases. The guide provides project managers with repeatable and sustainable guidelines to ensure that projects are well coordinated, thoroughly planned, properly executed, and closed out in accordance with managed and disciplined processes. Specific management control objectives and supporting processes associated with each phase are described in Figure 2.

Figure 2: FDIC Project Management Life Cycle
FDIC Project Management Life Cycle, chart 
Source: FDIC Project Management Guide, September 2004.

[ D ]

Initiation Phase (Phase 1): This phase ensures that managers and leaders associated with the project understand the complexities and intent of a project before considerable effort is undertaken to develop and execute it. In this phase, a decision is made on whether to implement a project based on a CBA of alternatives reviewed by the FDIC’s senior management leadership.

Planning Phase (Phase 2): In this phase, the project plan is developed in sufficient detail to allow the project to be successfully executed and managed and its status communicated to stakeholders in a timely fashion. Sufficient detail includes estimating attributes of the work products and tasks associated with the systems development efforts, determining the resources needed, negotiating commitments, producing a schedule, and identifying and analyzing project risks.

Monitoring and Control Phase (Phases 3 and 4): During these two phases, the project management team analyzes project reports, responds to changes to enable the project to remain successful, and creates a means for timely and candid communications with senior leadership and stakeholders to improve performance and efficiency. Specific activities would include comparing actual work product and task attributes, effort, cost, and schedule to the plan at prescribed milestones or control levels within the project schedule or WBS. The project management team would also determine whether appropriate visibility enables timely corrective action to be taken when performance deviates significantly from the plan. The Monitoring and Control phase runs throughout the project’s life cycle.

Close Out Phase (Phase 5): This phase allows the FDIC to learn from each project experience and ensures that each project has successfully fulfilled its fiscal obligations and accomplished its original intent. In this phase, the project reaches one of three natural conclusions:

  • Completion. The project manager or the FDIC senior leadership concludes the project because it either has accomplished its objectives or is not likely to do so with the remaining resources and time available.
  • Continuation. The project manager or the FDIC senior leadership determines that the project should continue, either in its current form or in a modified form that stresses or tests another aspect of the project.
  • Operationalization. If the results of the project warrant the modification of the organization’s business processes or procedures, the project is incorporated into the organization’s normal business routine.




APPENDIX C: PMBOK® GUIDE OVERVIEW

The PMI has conducted extensive research and analysis in the field of project management and has published a standards guide referred to as the PMBOK® Guide. The PMBOK® Guide documents proven practices, tools, and techniques that have become generally accepted in the field of project management, including information systems development and implementation. The guide identifies project management life-cycle processes that the FDIC has applied in its project management methodology as well as nine distinct knowledge areas, applied in varying degrees that are associated with successful project management. Table 3 shows the relationship of the knowledge areas to the project management processes for which the knowledge areas are principally applied as key elements of the project planning and controlling processes.

Table 3: Mapping of PMBOK® Guide Knowledge Areas to Management Processes
PMLC* Initiation Planning Executing Controlling Closing
Knowledge Area
Project Integration Management  
  • Project Plan Development
  • Project Plan Execution
  • Integrated Change Control
 
Scope Management
  • Initiation
  • Scope Planning

  • Scope Definition
 
  • Scope Verification

  • Scope Change Control
 
Time Management  
  • Activity Definition

  • Activity Sequencing

  • Activity Duration Estimating

  • Schedule Development
 
  • Schedule Control
 
Cost Management  
  • Resource Planning

  • Cost Estimating

  • Cost Budgeting
 
  • Cost Control
 
Quality Management  
  • Quality Planning
  • Quality Assurance
  • Quality Control
 
Human Resource Management  
  • Organizational Planning

  • Staff Acquisition
  • Team Development
   
Communications Management  
  • Communications Planning
  • Information Distribution
  • Performance Reporting
  • Administrative Closure
Risk Management  
  • Risk Management Planning

  • Risk Identification

  • Qualitative Risk Analysis

  • Quantitative Risk Analysis

  • Risk Response Planning
 
  • Risk Monitoring and Control
 
Project Procurement Management  
  • Procurement Planning

  • Solicitation Planning

  • Solicitation

  • Source Selection

  • Contract Administration
 
  • Contract Closeout
Source: PMBOK® Guide, 2000.
* Project Management Life Cycle.


The knowledge areas are described as follows:

  • Integration Management: The processes that ensure various elements of a project are properly coordinated. It consists of project plan development and execution and integrated change control.
  • Scope Management: The processes that ensure a project includes all of the work required, and only the work required, to complete the project successfully. It consists of initiation and scope planning, definition, verification, and change control.
  • Time Management: The processes that ensure timely completion of a project. It consists of activity definition, sequencing, and duration estimating as well as schedule development and schedule control.
  • Cost Management: The processes that ensure a project is completed within the approved budget. It consists of resource planning and cost estimating, cost budgeting, and cost control.
  • Quality Management: The processes that ensure a project will satisfy the needs for which it was undertaken. It consists of quality planning, assurance, and control.
  • Human Resource Management: The processes that make the most effective use of the people involved within a project. It consists of organizational planning, staff acquisition, and team development.
  • Communications Management: The processes that ensure timely and appropriate generation, collection, dissemination, storage, and ultimate disposition of project information. It consists of communications planning, information distribution, performance reporting, and administrative closure.
  • Risk Management: The processes concerned with identifying, analyzing, and responding to project risk. It consists of risk management planning, risk identification, qualitative and quantitative risk analysis, risk response planning, and risk monitoring and control.
  • Procurement management: The processes related to acquiring goods and services from outside the organization. It consists of procurement and solicitation planning, solicitation, source selection, contract administration, and contract closeout.


APPENDIX D: ACRONYMS

Acronyms Definition
ASP Application Service Provider
ASTEP Asset Servicing Technology Enhancement Project
CBA Cost-Benefit Analysis
CCB Configuration Control Board
CIO Chief Information Officer
CIRC Capital Investment Review Committee
COTS Commercial Off-the-Shelf
DIT Division of Information Technology
DOA Division of Administration
DOF Division of Finance
DRR Division of Resolutions and Receiverships
FDIC Federal Deposit Insurance Corporation
IT Information Technology
KPMG KPMG LLP
NPS National Processing System
OIG Office of Inspector General
OM Oversight Manager
OMB Office of Management and Budget
PMBOK® Project Management Body of Knowledge
PMI Project Management Institute
PV Present Value
TM Technical Monitor
WBS Work Breakdown Structure


Part II

Corporation Comments and OIG Evaluation



CORPORATION COMMENTS AND OIG EVALUATION

The report contains two recommendations for the Director, DRR. The Director, DRR, provided a written response to the draft report on November 30, 2005. Management’s response is presented, in its entirety, beginning on page II-4. DRR management concurred with the recommendations, which we consider resolved, but they will remain open for reporting purposes until we have determined that agreed-to corrective actions have been completed and are effective. In addition to addressing the recommendations, the Director, DRR, also commented on the content of the report. Based on the Director’s comments, we made changes to the report content as deemed appropriate. DRR’s response to the recommendations is summarized below, along with our evaluation of the response.

Recommendation 1: KPMG recommends that DRR, in coordination with DIT, fully document costs and benefits in updating the ASTEP solution through current re-baselining efforts, including addressing key activities associated with specified costs. This analysis should include the lower level of detail available from contractor-developed costs in deriving key system requirements and design specifications that address the ASTEP strategies identified by project sponsors.

DRR Response: DRR concurs with the recommendation. According to established CIRC procedures, if cost estimates remain within the approved investment budget, a formal document updating the original cost-benefit analysis is not required. The ASTEP project management team re-evaluated ASTEP costs, resulting in revised cost estimates within the approved investment budget. The ASTEP project management team is in the process of obtaining concurrence from the Finance Analysis Committee, the Chief Financial Officer, and CIRC, which is expected no later than February 28, 2006.

OIG Evaluation of Response: DRR’s response adequately addresses our concern that cost estimates needed to be updated to reflect system requirements and design specifications that were not known at the time the initial CBA was done. However, the response did not address whether benefits of the “Best of Breed” option had been updated to take into consideration this additional information. We discussed this issue further with DRR management after receiving its response. DRR management indicated that the original investment budget of $31.8 million will cover all of the functional requirements associated with the benefits identified in the initial CBA. Based on management’s written response and subsequent clarification, we consider the recommendation resolved. Nevertheless, as required by the FDIC Capital Investment Policy, we advise DRR to prioritize the requirements based on the associated benefits, such as those identified in the initial CBA. Doing so will assist DRR in determining which requirements could be deferred or eliminated in the event that certain costs were underestimated. The recommendation will remain open until we have determined that agreed-to corrective action has been completed and is effective.

Recommendation 2: As part of the current project re-baselining effort, KPMG recommends that DRR, in coordination with DIT, enhance the ASTEP project planning process by addressing areas needing improvement, as discussed in this report, to achieve greater compliance with the FDIC Project Management Guide and to provide greater assurance of ASTEP project success, including:

  • Defining inter-relationships and integration of responsibilities across project charters.
  • Defining the contractor oversight process in relation to ASTEP OM and TM roles, responsibilities, and communication activities.
  • Developing an accurate and complete master project plan baseline, under configuration management control, that defines all major ASTEP project activities, including integrating contractor subteam plans into the master project plan; defines project and performance measures to measure project success; identifies the scope of work for major activities defined in the plan through a WBS; and fully discloses cost estimates for all resource categories.
  • Establishing formal project controls to evaluate variances and, if needed, to initiate corrective actions for schedule, cost, scope, and quality variances.
  • Updating and clarifying current risk assessment procedures and practices in the ASTEP risk management plan and finalizing the plan.
  • Developing risk mitigation plans for high-priority risks as required by the ASTEP risk management plan and ensuring that issues and risks are addressed in either the risk or the issue logs in accordance with the FDIC’s project management guidelines.

DRR’s Response:

  • Defining inter-relationships and integration of responsibilities across project charters.

DRR agrees with this element of recommendation 2. The ASTEP team is currently reviewing the team charter and will update it as deemed necessary.

  • Defining the contractor oversight process in relation to ASTEP OM and TM roles, responsibilities, and communication activities.

DRR agrees. The ASTEP team will add a statement to the Communications Plan, which acknowledges that OM and TM roles are defined and governed by the Acquisition Policy Manual.

  • Developing an accurate and complete master project plan baseline, under configuration management control, that defines all major ASTEP project activities, including integrating contractor subteam plans into the master project plan; defines project and performance measures to measure project success; identifies the scope of work for major activities defined in the plan through a WBS; and fully discloses cost estimates for all resource categories.

DRR agrees. The ASTEP team is committed to developing an accurate and complete master project plan that is baselined under configuration management control, that is, a plan that identifies the scope of work for major activities defined in the plan through a WBS. The ASTEP project management team will have cost estimates for resource categories at the task-order level for contractor resources. Project measures indicate whether the project is being executed successfully, namely whether it is on time, on budget, and within scope. The ASTEP team uses the required CIRC reporting process to assess these project measures and reports to the CIRC and the ASTEP Executive Sponsors quarterly. In addition, a bi-weekly scorecard is prepared and reviewed with FDIC senior management. Performance measures to assess whether the execution of the tasks is producing the desired effect will be monitored under a separate plan.

  • Establishing formal project controls to evaluate variances and, if needed, to initiate corrective actions for schedule, cost, scope, and quality variances.

DRR agrees. The schedule will be monitored monthly by the ASTEP project management team, using the Master Project Plan for scheduled starts, finishes, milestones, critical path, and percent complete. As discussed earlier, the cost component of the Master Project Plan will be monitored subject to FDIC system limitations. The Change Control will continue to monitor the scope component of this element.

  • Updating and clarifying current risk assessment procedures and practices in the ASTEP risk management plan and finalizing the plan.

DRR agrees. The ASTEP project management team will finalize the Risk Management Plan to include the ASTEP team's current risk assessment procedures.

  • Developing risk mitigation plans for high-priority risks as required by the ASTEP risk management plan and ensuring that issues and risks are addressed in either the risk or the issue logs in accordance with the FDIC’s project management guidelines.

DRR agrees. Rather than using the high-level templates in the FDIC Project Management Guide, the ASTEP project management team is using the more detailed templates provided by the FDIC’s Office of Enterprise Risk Management. The team is reviewing the ASTEP Risk Log and Risk Management Plan to ensure that high-priority risks are identified with specific mitigation plans. Risk mitigation plans will be updated in the Risk Log or Risk Management Plan, as appropriate.

OIG Evaluation of Response: The corrective actions described in the response meet the intent of the recommendation. We consider the recommendation resolved, but it will remain open until we have determined that agreed-to corrective actions have been completed and are effective.


CORPORATION COMMENTS


Division of Resolutions and Receiverships, Corporation Comments, page 1
[ D ]
Division of Resolutions and Receiverships, Corporation Comments, page 2
[ D ]
Division of Resolutions and Receiverships, Corporation Comments, page 3
[ D ]
Division of Resolutions and Receiverships, Corporation Comments, page 4
[ D ]
Division of Resolutions and Receiverships, Corporation Comments, page 5
[ D ]
Division of Resolutions and Receiverships, Corporation Comments, page 6
[ D ]
Division of Resolutions and Receiverships, Corporation Comments, page 7
[ D ]


MANAGEMENT RESPONSE TO RECOMMENDATIONS

This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.

Recommendation
Number
Corrective Action: Taken or Planned/Status Expected
Completion Date
Monetary Benefits Resolved: [ a ] Yes or No
Open or Closed [ b ]
1
The ASTEP project management team has re-evaluated the ASTEP costs, resulting in revised cost estimates within the approved investment budget. The ASTEP project management team is in the process of obtaining concurrence from the Finance Analysis Committee, the Chief Financial Officer, and the CIRC.   2/28/06   N/A   Yes   Open
2 (Element 1)
The ASTEP team is reviewing the team charter and will update it as deemed necessary.   1/31/06   N/A   Yes   Open
2 (Element 2)
The ASTEP team will add a statement to the Communications Plan, which acknowledges that the OM and the TM roles are defined and governed by the Acquisition Policy Manual.   1/31/06   N/A   Yes   Open
2 (Element 3)
The ASTEP project management team is committed to developing an accurate and complete master project plan that identifies the scope of the work for major activities defined in the plan through a WBS. The team will have cost estimates for resource categories at the task-order level for contractor resources. Performance measures to assess whether the execution of the tasks is producing the desired effect will be monitored under a separate plan.   2/28/06   N/A   Yes   Open
2 (Element 4)
The schedule will be monitored monthly by the ASTEP project management team, using the Master Project Plan for scheduled starts, finishes, milestones, critical path, and percent complete. The cost component will be monitored subject to FDIC system limitations. The Change Control will continue to monitor the scope component of this element.   2/28/06   N/A   Yes   Open
2 (Element 5)
The ASTEP team will update the Risk Management Plan to include the team’s current risk assessment procedures.   3/31/06   N/A   Yes   Open
2 (Element 6)
The ASTEP team will develop high-priority risk mitigation plans using more detailed templates provided by the FDIC’s Office of Enterprise Risk Management. The team will review the ASTEP Risk Log and Risk Management Plan to ensure that high-priority risks are identified with specific risk mitigation plans. Risk mitigation plans will be updated in the Risk Log or Risk Management Plan, as appropriate.   3/31/06   N/A   Yes   Open
a Resolved –
(1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Dispositioned – The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.


Last updated 01/13/2006