Risk Assessment of the Millennium Challenge Corporation’s Information Technology Governance Over Its Information Technology Investments
Recommendations
IT Governance Recommendation: We recommend that the Millennium Challenge Corporation Chief Information Officer update the information technology strategic plan to reflect current enterprise strategic goals.
We recommend that the Millennium Challenge Corporation Chief Information Officer develop and implement a formal process for managing risk and updating the information technology strategic plan accordingly. Risk management must drive enterprise architecture decisions, providing secure information system environments for critical applications. The plan should be reviewed at a minimum annually and when major events occur that have an impact on strategic goals. When updating the information technology strategic plan the Chief Information Officer should verify compliance with the Office of Management and Budget Circular No. A-130, Management of Federal Information Systems, with regard to the capital planning and investment control process which includes the information resource management strategic plan and the information technology capital plan which is required to be updated twice yearly.
We recommend that the Millennium Challenge Corporation Chief Information Officer complete the enterprise information architecture planning and implementation project as discussed in the Executive Level Notional OCIO 2 Year Portfolio in order to maintain an information architecture that reflects the business requirements.
We recommend that the Millennium Challenge Corporation Chief Information Officer develop and implement a project plan for leveraging data as indicated in the authoritative data source process and methodology in order to provide business users access to detailed information to aid in analysis and decision making by June 30th, 2012.
We recommend that the Millennium Challenge Corporation Chief of Staff develop and implement a formal process that must be consistently applied for the Enterprise Architecture Steering Committee to prioritize information technology enabled-investment programs.
We recommend that the Millennium Challenge Corporation Chief of Staff formally document and implement a process requiring the Enterprise Architecture Steering Committee to consider risk management when discussing strategic direction and approval of information technology investments.
We recommend that Millennium Challenge Corporation Chief Information Officer (1) conduct an analysis to determine whether the information technology function has sufficient resources to adequately support the business goals and objectives of the organization and (2) through the organization's budgeting process, submit a written request for additional resources to address any shortfalls identified in the analysis.
We recommend that the Millennium Challenge Corporation Deputy Chief Financial Officer revise the budget policy and procedures to account for the change from line item budgeting to project budgeting.
We recommend that the Millennium Challenge Corporation Chief Information Officer develop a process and implement a tool for monitoring project plans and work completed to determine earned value, providing an early warning of performance issues impacting project budgets.
We recommend that the Millennium Challenge Corporation Chief Information Officer define quality requirements, criteria, and key performance indicators for evaluation of quality management for key IT processes.
We recommend that the Millennium Challenge Corporation Chief Information Officer identify and document standards, procedures, and practices for key IT processes to guide the Agency in defining and evaluating criteria for quality management.
We recommend that the Millennium Challenge Corporation Chief Information Officer implement a process to incorporate the following components into its projects:
A project governance structure that includes the roles, responsibilities, and accountabilities of various key players in project management.
Project sponsors assigned for the execution of each project.
Project office and project manager.
Elements such as approving the initiation of phases, communicating to all stakeholders the status of projects, establishing an integrated project plan, project quality plan, and defining the responsibilities of project team members.
Project risk management through the process of planning, identifying, analyzing, responding to, monitoring and controlling risk.
Project change control.
Lessons learned.
We recommend that the Millennium Challenge Corporation Chief Information Officer implement a process to verify that risk management plans and Exhibit 300 business cases are consistently used, monitored and updated annually for an IT projects as required.
We recommend that the Millennium Challenge Corporation Chief Information Officer finalize and implement the system development life cycle.
We recommend that the Millennium Challenge Corporation Chief Information Officer develop and implement a policy to fully address the maintenance of software applications.
We recommend that the Millennium Challenge Corporation Chief Information Officer develop and implement a process for ensuring the integration of software into the current infrastructure is properly planned and executed.
We recommend that the Millennium Challenge Corporation Director of Contracting develop and implement information technology acquisition instructions that provide a methodology to evaluate the components of information technology acquisition contracts.
We recommend that the Millennium Challenge Corporation Chief Information Officer develop and implement a process to ensure end user testing and evaluation of developed applications.
We recommend that the Millennium Challenge Corporation Chief Information Officer develop and implement a process to ensure personnel are trained in the use of developed applications.
We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement policies and procedures for data conversion, testing of applications and infrastructure migration.