• LHC Public Hearing on Data and Technology – Testimony of John Thomas Flynn, May 2008

    September 2nd, 2008 by admin Categories: Blogs Tags: , , , , , , , , , ,
    State of California

    Little Hoover Commission

    Public Hearing on Data and Technology


    John Thomas Flynn

    Principal, Flynn, Kossick & Associates, Inc.

    Former CIO, State of California &

    Commonwealth of Massachusetts

    May 22, 2008

    As your invitation requested, I will focus my remarks on the specific areas which the Little Hoover Commission highlighted for its review, most critically, the challenges that still remain with respect to the new IT governance structure in the State of California. I will also address ways that the state could streamline the IT project funding and approval process which unfortunately has been made even more complicated and dysfunctional with recent, so-called organizational reforms. The Commission also asked how the state could improve its risk-averse approach to IT procurement and implementation, and how the State of California could use technology more effectively to track and improve government performance.

    CIO Governance Model

    Summary Recommendations:

    • Press on with Commission’s earlier recommendations for
      • A State CIO overseeing enterprise IT/Telecom infrastructure assets
      • Competitive government – technology agency competes with private sector vendors to serve departments
    • Consolidate and centralize IT human resources –Agency CIO’s should report to State CIO
    • All IT spending should be approved by State CIO
    • Eliminate Department of Finance’s duplicative, micromanagement of IT policy and IT project budgets
    • IT security should be responsibility of State CIO

    It is important to note that the Commission was “right on” in its recommendation contained in the December 2004 report, “Historic Opportunities: Transforming California State Government” which recommended the creation of a technology agency headed by the state CIO. The Commission went on to state that “the agency should manage the State’s enterprise technology assets, including all data centers, networks, state Internet portals, and telecommunication systems. The technology agency should compete with outside vendors to serve departments based on the value it offers.”

    Again, in January 2005, the Commission reviewed Governor Schwarzenegger’s new reorganization plan to create a Department of Technology Services (DTS), and recommended that the Legislature approve the reorganization. In its approval, the Commission reiterated its recommendation to establish in statute a state Chief Information Officer and to vest that position with the authority to effectively deploy technology to improve performance through state government.

    At this time, however, all the aforementioned recommendations are not fulfilled. Yes – there is a statute which created the CIO position, and it did so as a Cabinet position, not just Cabinet level, a clear distinction which I unfortunately learned only after my arrival in Sacramento from Boston in 1995.

    The CIO’s office still completely lacks organizational control over the State’s enterprise technology assets, including most importantly its data centers and telecommunications networks which reside as mentioned above in the Department of Technology Services. However, DTS is organized under the State & Consumer Services Agency.

    A critical success factor and a logical assumption to managing statewide IT involve the centralization and proper alignment of these enterprise technology assets under the jurisdiction of the state’s top technology official. Separating them organizationally only sets the stage for confusion, confrontation, a continued lack of strategic coordination, and makes real reform that much more out of reach. It is geometrically more difficult to enact infrastructure consolidation, technology standardization, and spending prioritization if those offices and assets are outside of your organization. A simple example will do. Try consolidating data centers when those data centers are in another agency or department. In addition to the centralization of enterprise IT assets, centralization of IT human resource assets should also be implemented. All agency CIO’s (currently positioned within Cabinet executive departments) should have a solid line reporting relationship into the State CIO. This would align all executive department IT management, staff and infrastructure within in the State CIO organization.

    This has been the strategic direction for best practices in state’s like Virginia, Connecticut Massachusetts, West Virginia, Pennsylvania, and yes, Michigan where legislation has not only consolidated these enterprise technology assets under the state CIO but has also centralized the IT workforce within that jurisdiction as well. This is how the CIO’s Office, with Cabinet status, with organization control of the resources, both infrastructure assets and human resources, with absolute, 100% budget and spending approval, and project oversight responsibilities, will now be positioned for success, and full accountability.

    There has been much study in this area. In particular, the U.S. Government Accountability Office’s Report to Congress, in July 2004, entitled:  FEDERAL CHIEF INFORMATION OFFICERS, Responsibilities, Reporting Relationships, Tenure, and Challenges, reported that proper alignment of the CIO authority and technology assets plays a critical role in determining successful IT management within the organization.

    There are several other governance issues which I believe this Commission should address.

    Concurrent with the creation of the CIO’s Office this past January 2008, the state also established the Information Technology Consulting Unit (ITCU) within the Department of Finance and the Office of Information Security and Privacy Protection (OISPP) within the State and Consumer Services Agency.

    As you may recall, the CIO Office’s absorbed two DOF agencies, the Technology Investment Review Unit (TIRU) and the office of Technology Review, Oversight, and Security (OTROS). This was a momentous achievement. If you had surveyed all state agencies, their number one complaint about state IT management going back to my days at DOIT would have been the duplicative budget reviews performed by DOIT and DOF on department budget requests or Feasibility Study Reports (FSR).

    Now with the creation of ITCU, a control agency with an ambiguous mandate, department IT budget requests would appear to again be subject to two separate assessments.

    And finally, enterprise IT security, now housed within OISPP, should be the jurisdiction of the State CIO. Positioned now as it is within the State and Consumer Services Agency (SCSA) will undoubtedly lead to a third review, a security assessment by third control agency on every new IT project. This cannot be allowed to happen. Leave privacy at SCSA, but I want the State CIO in charge of the department Chief Information Security Officers (CISO) across state agencies.

    Streamlining IT Approval Process

    I have already mentioned the CIO governance issues involved in the IT approval process, but there are several other important issues involving the approval methodology itself. First of all there is the problem of overall financial control over IT budgets. Each year agencies are allowed to present proposals for an unlimited number of new IT projects and they prepare 100-150 Feasibility Study Reports (FSR’s) with only about half finding their way to DOF or the State CIO because of various waivers, department threshold allowances, and other factors such as the black hole call the “budget baseline”.  Just to digress here for a moment, the state is helplessly mired in a hopelessly obsolete baseline budgeting process whereby for each new budget year, the prior year’s budget represents the unquestioned starting point on which to add new funding. I say add because reducing budgets has not been a very popular policy around here; perhaps 2009 will be different but…

    This baseline budgeting debacle which goes back forever involves specific, finite projects both in IT and otherwise, which when completed, are often overlooked during subsequent budget formulation, freeing up untold millions, perhaps billions of dollars which are then spent outside the approval, control or oversight of finance, the State CIO, the legislature, anyone. That is why I was so adamant about auditing the books, and initiating a zero based budgeting approach during the recall and during the development of the California Performance Review.

    Back to the budget approval process; now, with multiple new control/approval agencies reviewing proposed spending, coordination and control will continue to be problematic. Furthermore, after executive agencies’ approval, the project budget is combined with other programs in a large Budget Change Proposal (BCP), and then must makes its way through the legislative process, once completed, the final project budget may little resembled its original namesake.

    Once the project is funded, there is no centralized reporting system to track expenses against budget, and departments’ myriad of financial systems do a less that stellar job of monitoring financial performance. And then when the project ends you loop back to the baseline problem. Hopefully, FI$CAL, the new statewide financial system will address this, but that’s half a decade or more away. All in all the approval process is broken, lacks financial controls and accountability, and with its multiple agency approval process is a nightmare for departments utilizing the system.

    There is a chicken and egg dilemma here, because the first step in improving the IT budgeting and approval process is to understand what current spending is, and that has never been done. The DOF’s flagship financial system, CalSTARS, is older than dirt and most large agencies received a waiver (there’s that word again) and are not required to use it. Suggestions to replace it 12 years ago were rebuffed by several DOF Directors, and DOIT’s Web based tracking system to accomplish this was shut down by the gentlemen that Governor Davis appointed to the CIO position after I left office.

    Even today, the state CIO’s Office is surveying all departments to determine what their IT organizations look like in terms of staffing, budgets, projects, etc. Just what we did in 1996. Not exactly hi-tech, not totally reliable, but it’s a critical start, and that’s exactly what has to be done. Obtain a detailed snapshot of all the state’s IT spending, and track it meticulously.

    As the saying goes, it you can’t measure it, you can’t reform it, and that’s the case with the state’s IT approval process. Once we know that Department A has a total annual budget of $1 million with $100,000 of IT spending last year, and that $100,000 is classified into one-time projects, or ongoing maintenance and operations, the State will have restored financial integrity and transparency to this heretofore phantom or stealth budget. Completed projects will no longer “free up” funds for unapproved, renegade IT spending, and new or continued spending shall require the imprimatur of the State CIO.

    No more opportunities for Department A to prepare and submit 10 FSR’s for over $2 million, just to win an approved project through sheer numbers, and no more opportunity to take the free money from completed projects, and spend it with little or no consideration for Administration priorities or the State CIO’s enterprise IT strategy. Departments will need to prioritize, and to craft their proposals in line with the Governor’s agenda, and within the standards, policies and enterprise strategy of the State CIO.

    Now as I mentioned before, the new DOF department, ITCU, will be a huge problem for the State CIO. I am going to include these department responsibilities lifted directly from the DOF Web site at http://www.dof.ca.gov/state_it/

    The Office of the State Chief Information Officer (OCIO) — The OCIO is a cabinet-level agency, responsible for establishing and enforcing information technology (IT) strategic plans, policies, standards and enterprise architecture, and the IT project review, approval, and oversight program.

    The Information Technology Consulting Unit (ITCU) — The ITCU is a unit within the Department of Finance (Finance), and operates under Finance’s general powers of supervision over all matters concerning the financial and business policies of the State, as defined in Section 13070 of the Government Code. The ITCU’s primary functions include performing fiscal analysis of proposed statewide IT policies and enterprise initiatives and fiscal oversight of Finance-identified critical IT projects.

    So now Finance will not only be approving projects (DOF euphemistically calls it “performing fiscal analysis), but also the State CIO’s policies, plus they will also have oversight responsibilities on IT projects. This is a very clear evidence of duplicative responsibilities. It’s as if TIRU and OTROS have risen again like the Phoenix. To paraphrase Mark Twain, I am afraid that earlier reports of Finance’s getting out of the IT project approval process were greatly exaggerated.

    So what should DOF’s role be? I am not saying DOF should just give the CIO and departments a blank check. What I am saying, going back to my example with Department A, is that DOF should set the budget framework for State IT spending. The Finance Director should meet with the CIO Secretary when the new budget year preparations begin. They will both know what was budgeted for IT the previous year, and that will be the starting point for new spending in the next budget year. For example, for the new FY2009 budget, the Governor called for a 10% cut due to the deficit. Then the CIO could go back to the agency CIO’s and give them the (bad) news. And all departments would limit their FY2009 to 90% of last year’s IT budget. In this way departments could not propose any new funding, or submit any new FSR’s which would exceed the 90% rule. Of course this process could work with the same rationale for better budget times when new, additional spending would be allowed to occur.

    As I also mentioned, any new spending would be prioritized according to Administration policies and the enterprise strategy of the State CIO, but it would still be developed initially within the overall budget framework established by Finance Director and the CIO Cabinet Secretary. So, for example, if the Governor’s top three priorities for next year’s budget are public safety, public health, and the environment, new IT spending again within the framework would be given priority status to departments and projects that advance these policies. And if the State CIO’s strategic IT direction calls for an enterprise approach to financial applications or geographic information systems (GIS), no individual FSR’s for funding new department financial systems or GIS would even be accepted for review.

    Again, this methodology represents best practices. The federal government each year assemblies their entire IT budget (FY2008: $60 billion), broken down not only by agency and department, but also by project, and it clearly is tied to the previous year’s spending.

    States with sophisticated IT organizations utilize similar methodologies, like I have mentioned before.

    This methodology is similar to that of a highway bond. The finance folks meet with the transportation department folks and agree on how much money is available. Then the transportation department identifies, prioritizes and plans the highway construction projects within the budget framework agreed upon. The finance analyst does not then review the projects, their budgets, or their road paving policies. That’s the work of the transportation department and the transportation commission.

    Now I have only briefly mentioned the legislature’s role in this process, which is obviously very significant. But again there may be a re-prioritization, if you will, of new IT spending, but it would remain within the overall budget framework, or for certain instances, new funding may be increased for special circumstances – disasters, emergencies, federal funding availability, etc., but the bottom line is that the process for budgeting IT is controlled, logical, transparent, flexible, and results in a defined, measurable end product which does not exist today.

    I have also intentionally left out details of the FSR and BCP process which would also have to be changed; but the changes are relatively minor, primarily keeping IT spending proposals separate by not collapsing them within huge departmental BCP’s which as they make their way through the budget/legislative process often lose their identity and funding integrity.

    Changing the States Risk-averse Approach to IT Implementation

    On this item, I will be brief, but adamant. If there is one complaint heard again and again among Sacramento’s IT vendor community, it’s about state procurement contract terms & conditions (T’s & C’s). While performance bonds and letters of credit are onerous and have for the most part only driven up the costs to the state while offering little real protection to California taxpayers, it is the unlimited liability clauses, and primary contractor’s liability for subcontractor equipment and software which have all to often led to multi-hundred million dollar procurements attracting just a single bid, exposing the state to inflated bids, inexperienced and unqualified bidders, the flight of well-qualified bidders away from the California IT marketplace, and sometimes all the above.

    The fact that these unlimited liability clauses have never been enforced only emphasizes their irrelevance. It is time for them to be removed.

    Using Technology to Improve Government Performance

    We have touched on this subject before in the discussion of streamlining the IT approval process, however full benefits of tracking and improving government operations require a full court commitment on an enterprise scale. Or as G.K. Chesterton might have said, performance based budgeting in government was not tried and found wanting; it was considered, deemed difficult, and abandoned.

    I have said the same thing about the 2004 California Performance Review (CPR), the largest state government reform initiative in history. It should be taken it off the shelf and implemented. CPR’s IT reforms could play a significant role in terms of the Governor’s call to reduce spending by 10%. You don’t have to cut funds and services if you can improve services and reduce costs through enabling technologies.

    My final thoughts on this performance measurement and tracking issue. Going back to my first meeting with the Governor Wilson’s Finance Director just a few days into my job in January 1996, I asked how this state, with a Fortune 5 sized, $70 billion budget, could exist without a robust, enterprise financial system. How could DOF rely on rickety, 30 year old CalSTARS to run the state’s financial operations? In fact it didn’t, as I said before, waiver after waiver was granted, so literally dozens and dozens of financial and human resources systems, the so-called Enterprise Resources Planning (ERP) systems were thrown up independently in agency after agency, with no centralized or integrated system consideration.

    However, finally, in DOF’s finest hour, Director Mike Genest and former DirectorVince Brown, with the strong support of the former CIO, Teri Takai’s predecessor, the peripatetic Clark Kelso, have been the champions of FI$CAL. This project will bring the State of California into the 21st Century in terms of financial reporting. It’s a huge project, obviously no other state has taken on anything of this scale. Its overall budget is closer to $2 billion than to $1 billion, it’s all from the already strained general fund budget, and it has a very scary, decade long implementation schedule which I think could benefit from this Commission’s scrutiny. However, FI$CAL is, along with its sister project, the so called 21st Century Project, the state’s new Human Resource/Payroll System over in State Controller Chiang shop currently under development (or not, that is certainly another project which could use a Commission review) the sine qua non in terms of effectively tracking and measuring operations and performance. FI$CAL and 21st Century projects will for the first time centralize all state budgeting and spending, track project spending and store a treasure of financial and operating statistics, allowing state managers to finally make real, informed, fact-based financial management decisions. It will also facilitate the public’s access to this treasure trove of data allowing the so-called called “Army of David’s” to borrow Instapundit blogger and Tennessee law professor, Glenn Reynold’s book title, to analyze and if warranted, expose wasteful state spending on earmarks we so often hear about in Congress, but so far in California lack the data mining capabilities that successful financial and HR systems could provide.

    Do not let these projects flounder, or be defunded due to state deficits or other considerations. Remember, in spite of the Governor’s sentiments, these books have never been audited, perhaps they never can be. But FI$CAL and the 21st Century projects represents to the state and its taxpayers the last, best hope to ever comes to grips with this bookkeeping nightmare.

    Anonymous Commenting is Welcome. To have your name or website appear with your comment, fill out the form below. All Comments are moderated to prevent spam. Thanks for joining in the discussion!