GAO Finds IT Investment Risk Reporting Inconsistent

Posted by Angie Petty on June 14, 2016

GAO evaluated CIO IT risk ratings for 95 investments using the IT Dashboard and found that generally CIO’s gave investments healthier risk ratings than warranted.  GAO also found that methodologies for determining risks varied across agencies.

GAO studied invests with 80% or more of their FY 2015 budget allocated to development, modernization and enhancement (DME). GAO’s objectives were to evaluate agency processes for assigning risk ratings for predominately DME investments and to assess the risk of federal IT investments, including any discrepancies with CIO risk ratings.

GAO conducted independent risk assessments for 95 IT investments, covering 17 agencies, and found discrepancies between its risk ratings and those of the agency CIOs for 73 investments. Generally, GAO rated investments as riskier than the agency CIOs.  The diagram below shows the differences between GAO and agency CIO ratings:

GAO Finds IT Investment Risk Reporting Inconsistent

GAO found that agencies used a variety of methods for determining IT investment risk, some of which incorporated OMB’s six suggested factors.  Additionally, GAO found inconsistency in the frequency of updates of risk ratings on the IT Dashboard.  

GAO made 25 recommendations to 15 agencies to improve the quality and frequency of CIO ratings.  GAO’s recommendations for executive action to ensure IT Dashboard ratings more accurately reflect risk included:

  • CIOs of eight agencies should factor active risks into their IT Dashboard CIO ratings at least as frequently as required in OMB’s guidance. 
  • CIOs of four agencies should update their risk ratings.
  • CIOs of 13 agencies should ensure that their ratings reflect the level of risk facing an investment relative to that investment’s ability to accomplish its goals.

Nine agencies agreed with GAO’s recommendations, while others agreed with, or partially agreed with, some recommendations but not all. Most agencies agreed to update their risk assessments more often and to incorporate recommended criteria to the assignment of risk ratings.

Categories