2.173.2 IT Governance Procedures

Manual Transmittal

October 04, 2019

Purpose

(1) This transmits new IRM 2.173.2, IT Governance, IT Governance Procedures

Material Changes

(1) This is a new IRM.

Effect on Other Documents

This new IRM incorporates Interim Guidance IT-02-0319-0008, Reissued Interim Guidance for Internal Revenue Manual (IRM) 2.173 Information Technology (IT) Governance Standards.

Audience

IRS employees and contractors who support or are members of IT governance boards.

Effective Date

(10-04-2019)


Chief Information Officer

Program Scope and Objective

  1. This IRM section provides IT governance policy and procedures to support, promote and execute effective IT governance.

Background

  1. This new IRM incorporates Interim Guidance IT-02-0319-0008, Reissued Interim Guidance for Internal Revenue Manual (IRM) 2.173 Information Technology (IT) Governance Standards.

Process Description
  1. This IRM section contains the procedures for starting an IT governance board, board meeting frequency, meeting minutes and decisions, the annual self-assessment and finally the health assessment process.

Goal
  1. The goal is to enable IT governance to provide effective oversight and decision-making.

Objective
  1. The objective of IT governance is to support the achievement of the IRS mission and strategic goals.

Authority

  1. Authority for this IRM includes:

    • House of Representatives 1232 - Federal Information Technology Acquisition Reform Act (FITARA)

    • Assignment of Information Technology/Information Resources Management Responsibilities memorandum dated 01/26/2018

    • Applicable OMB and Treasury circulars, directives and memorandums

  2. Investment and Portfolio Governance (IPG) is responsible for developing, implementing and maintaining this IRM. Approval of this IRM including updates rests with Investment and Portfolio Control and Oversight (IPCO). Proposed changes to this IRM must be submitted to IPG. Please share your comments and suggestions to improve this IRM with us via an email to *IT Program Governance Office.

IT Governance Procedures

  1. This document provides IT governance policy and procedures to support, promote and execute effective IT governance.

Starting an IT Governance Board

  1. New IT governance boards need an executive sponsor and stakeholder approval. Sponsoring executives will identify support staff for a new board.

  2. IT governance boards need a charter. Governance board charters document the roles, responsibilities and authorities of board members and management in advising, directing and managing the IT portfolio. Charters are essential for good governance and required for all operating IT governance boards.

  3. Before drafting a charter for a new governance board, determine what type of board is needed:

    Board Type Description
    Executive Steering Committee (ESC) ESCs are top-level governance boards chaired by IRS senior leadership. ESCs sponsor governance boards and receive reports from them. ESCs have the authority to make key IT Governance decisions or delegate decisions down to a governance board.
    Governance Board (GB) Governance Boards are sponsored by and report to an ESC. They make recommendations to an ESC unless the ESC delegated a decision to them. There are two kinds of governance boards:
    • Organizational: Project portfolio is worked and managed in the sponsoring organization (e.g., Enterprise Operations or Applications Development)

    • Dedicated: Project portfolio is funded from one or more investments overseen by the subject GB (e.g., Web Applications) or projects specific to an IRS function (e.g., Financial Services)

  4. The IT Governance Charter Guide provides a charter template for each type of governance board listed above. The guide also contains a “Charter Review and Approval Tracker” to walk you through the process of chartering a governance board.

  5. Chair leadership is responsible for proposing governance board membership, responsibilities and authority in the charter to approving executives. The Readiness to Govern Checklist can be used to ensure a governance board is ready to be established.

  6. Determine the frequency and schedule of meetings for the new governance board.

  7. Share your draft charter with Investment & Portfolio Governance (IPG) so they can provide input and feedback. Prepare an Action Routing Sheet to request executive signature and approval of your charter. The table below describes the approving executive for each type of governance board.

    If the Board Type is... the Approving Executive is...
    Executive Steering Committee IRS Deputy Commissioners
    Organizational Governance Board Chief Information Officer
    Dedicated Governance Board Executive Steering Committee
  8. ESCs provide oversight to their subordinate governance boards. ESCs review and approve subordinate governance board charters and may assign objectives, responsibilities and decisions to them as well.

IT Governance Board Meeting Frequency

  1. Governance boards are responsible for establishing and maintaining a meeting schedule that supports effective governance and oversight.

  2. A board must be decommissioned if it no longer meets. Complete the decommission template and email a copy to *IT Program Governance Office when shutting down a governance board.

IT Governance Board Meeting Minutes and Decisions

  1. Governance boards are responsible for:

    • Tracking action items in the Item Tracking Reporting and Control (ITRAC) database

    • Documenting meeting minutes and decisions using the Meeting Minutes Decision (MMD) Template

    • Routing and sharing the MMD with the chairs and voting members for review, comment and approval

    • After two years, archive approved MMDs in the Document Management for IT Projects (DocIt)

    • Archiving governance artifacts in an official repository

IT Governance Board Annual Self-Assessment

  1. Governance boards are responsible for conducting an annual self-assessment of the board’s operations using the IT Governance Charter Guide and Assessment Process.

Health Assessment (HA)

  1. The IRS identifies, assesses, manages and monitors risk through risk management. Governance provides a forum for identifying, assessing, escalating and mitigating IT project risks.

  2. Project managers are responsible for registering and maintaining IT projects in the Oracle Primavera Portfolio Management (OPPM) software tool.

  3. Governance boards are responsible for confirming their IT projects are registered and maintained in OPPM.

  4. Each IT project is funded from a specific investment with a Unique Investment Identifier (UII) which primarily determines ESC alignment. Projects are assigned to a governance board based on functionality and organizational alignment.

  5. Projects are responsible for regular performance reporting in the established Health Assessment (HA) process unless the CIO grants a waiver. See Interim Guidance IT 02-0319-0007, Enterprise Control Authority and Operations Directive for the IT Health Assessment policies and procedures.

  6. Governance boards are responsible for overseeing the health of their portfolios.

  7. The HA is a standardized approach for identifying, assessing and evaluating IT projects. It provides a framework and data to analyze, report and escalate potential risks and issues.

  8. The HA is conducted monthly with IT project’s cost, schedule, scope and emerging risks recorded and monitored in the HA application in OPPM.

  9. Key Performance Indicators (KPI) are used to monitor the health of IT projects and provide a snapshot of performance. Projects with an overall red KPI require escalation based on the table below:

    Months of Overall Red KPI Escalate to
    1 Program Management for review
    2 Governance Board Chair for review
    3 The ESC Chair, who decides if the project risk will be briefed at the next ESC meeting
  10. Associate Chief Information Officers (ACIO) and governance board Chairs may escalate a risk that need ESC attention even if a project is not trending red.

  11. Governance board risk management responsibilities include:

    • Providing a forum for stakeholder risk discussions

    • Recommending or approving risk escalation

    • Resolving risks delegated by the CIO, ACIO or ESC

    • Managing, approving and overseeing risk mitigation

    • Directing compliance with Enterprise Architecture, Enterprise Lifecycle, Enterprise Risk Management and Health Assessments