The Challenges of Weak Governance and FITARA

This blog is an excerpt from GovLoop’s recent research brief, Finding FITARA Success With Better Governance. Download the full brief here

A quick examination of the results of a GovLoop survey of 138 public sector professionals on issues related to FITARA helps illustrate why agencies are struggling so much with acquisition waste, duplication and, ultimately, poor governance.

Poor visibility into acquisitions 

When asked, “Does your agency have adequate visibility, tracking and analysis of IT assets and acquisition activities?” only about a third said yes. Almost 22 percent said no. But almost half said they didn’t know. This is telling because at an organization where IT assets and acquisitions are tracked, visible enterprisewide and analyzed, everyone associated with IT management would necessarily know the adequacy because decisions are based on that information. It is at organizations that are fragmented and stovepiped that employees would not be aware of what other operating units are doing.

“From a governance, risk management and compliance (GRC) perspective, this is not surprising,” Chris Hoover, a GRC Strategist at RSA, said of the survey results. “It is a question of organizational GRC maturity, combined with the fact that FITARA is relatively new, that a lot of people don’t know what they don’t know.”

When asked to rate the scale of acquisition waste at their agencies, survey respondents were fairly split. Roughly a third said they thought there was only a “minimal amount” or “little to none.” A far larger percentage (43 percent) guessed it was “average,” while a quarter of respondents said their agencies were suffering “quite a bit” or “high levels” of acquisition waste.

Although these questions offer broad insights into government employee perceptions of acquisition waste, the results are hardly telling given the subjective nature of how one might define low, average or high amounts of acquisition waste. Hoover points out that federal organizations can estimate waste only if they have effective data and visibility into that data. “If organizations were good at estimating waste, there wouldn’t be a FITARA,” he said. “As stated earlier, it is an organizational maturity issue, and cross-domain, cross-enterprise visibility is not a hallmark of less-mature organizations, and this is one of the main ways waste happens.” Overall, there is a lack of information sharing and knowledge across the enterprise which makes it difficult see where there is waste or redundancy.

Answers to Question 6 of the survey support Hoover’s observation. It asked respondents whether their agencies have ways to track and compare acquisitions to better understand waste and redundancy. Only a quarter of respondents said yes, while one in eight said no; the remaining 63 percent were unsure. Of the respondents who said their agencies can track and analyze acquisitions to identify waste, only a quarter said that capability was fully automated. The rest said it was manual or a combination of manual and automated.

Taken together, these responses point to minimal cross-enterprise visibility into IT acquisitions or inventories. Hoover said a typical federal agency may have tens of thousands — perhaps even hundreds of thousands — of IT assets that different people in different offices bought from different vendors at different times over many years. Yet it is rare to find an agency that keeps that in- formation in one database or tool. “From what I’ve seen, as often as not, it’s like each individual office might log their acquisitions and asset data in Excel spreadsheets on SharePoint,” Hoover said. “It comes back to the GRC maturity problem. It’s a sign that they’re stuck in that siloed model.”

Weak vendor governance 

Another set of responses suggests that agencies do a poor job of sharing information about vendors they work with or are considering working with, which can lead to poor sourcing and vendor management decisions.

Almost two-thirds of respondents said they were unsure how well their agencies are able to gather performance data on vendors and their projects and services. Only 15 percent said their agencies didn’t have this challenge.

Asked if their agencies would benefit from having scorecard-type data about vendors and their performance, 44 percent of respondents said yes, while 46 percent said they didn’t know. And 54 percent of respondents said their agencies would benefit from having a central view of available vendors along with their Contractor Performance Assessment Reporting System and other performance information. Forty-two percent said they were unsure if it would help.

Finally, only 18 percent of respondents said their agencies take a proactive approach when it comes to vendor assessment and acquisition. The remainder was roughly split between saying their agencies take a reactive approach and being unsure.

Compliance challenges 

Other survey results point to another big problem: meeting priority compliance directives, including FITARA, and tracking their compliance progress.

Respondents were widely unsure about whether their agencies were challenged in meeting FITARA mandates. Only roughly one in 10 said their agencies were not facing challenges. And when asked to cite the sources of FITARA challenges they faced, roughly three-quarters said budget constraints, culture or a lack of understanding of FITARA’s requirements.

Asked where their agencies were in terms of implementing FITARA, the vast majority (83 percent) said they either have not yet begun or were only in the very early stages of implementation. Hoover attributes this to the fact that FITARA is still fairly new — implementing guidance was issued June 2015 — and agencies have many other management challenges on their plates, including other compliance directives and budget constraints.

Similarly, when asked whether their agencies are struggling to track progress toward meeting mandates under the Data Center Optimization Initiative, almost a quarter of respondents said yes and two-thirds were unsure.

These survey responses make clear that agencies are hampered by poor cross-enterprise visibility into IT acquisitions and resources, a lack of information sharing about the vendors they work with or may work with, and an inability to track progress in meeting priority compliance directives, including FITARA.

Download the full brief here

Branding Asset RSA Logo 122564_FourPointsLogowithSDVO

Leave a Comment

Leave a comment

Leave a Reply