2.109.1 Risk, Issue, and Action Item Management Policy 2.109.1.1 Program Scope and Objectives 2.109.1.1.1 Background 2.109.1.1.1.1 Purpose 2.109.1.1.1.2 Scope 2.109.1.1.2 Authority 2.109.1.1.3 Mandate 2.109.1 Risk, Issue, and Action Item Management Policy Manual Transmittal April 16, 2020 Purpose (1) This transmits new Internal Revenue Manual (IRM) 2.109.1, Risk, Issue , and Action Item Management Practices, Risk, Issue, and Action Item Management Policy. Material Changes (1) This is a new manual and thus without material changes. Effect on Other Documents This manual supersedes the Risk, Issue, and Action Item Management Directive, version 4.1, dated, June 18, 2018. Audience The audience for this manual is the Information Technology (IT) Organization, contracted personnel, and other stakeholders responsible for following the Enterprise Life Cycle (ELC) guidance. Effective Date (04-16-2020) Nancy Sieger Acting Chief Information Officer 2.109.1.1 (04-16-2020) Program Scope and Objectives Overview - This document describes the formal Information Technology (IT) policy for implementing the requirements of the Risk, Issue, and Action Item Management process. Purpose - The purpose of this policy is to establish a common management process for risks, issues, and action items management plans across Internal Revenue Service (IRS) IT Organization. Audience - The audience for this IRM is the IT Organization, contracted personnel, and other stakeholders responsible for following the Enterprise Life Cycle (ELC) guidance. Policy Owner - Strategy and Planning, Business Planning and Risk Management, Enterprise Life Cycle Office. Program Owner - Strategy and Planning, Business Planning and Risk Management, Enterprise Life Cycle Office is responsible for the development, implementation, and maintenance, of this policy. Approval of this policy, including updates, rests with the Director, Business Planning and Risk Management. All proposed changes to this policy must be submitted to Business Planning and Risk Management, Enterprise Life Cycle Office. Primary Stakeholders - This policy applies to all IT projects and programs. Program Goals - The goal is to establish an authoritative repository for all IT programs and projects to maintain risk and issues, and action items management. 2.109.1.1.1 (02-28-2020) Background Risk Management is an organized, systematic decision-making process that efficiently identifies, analyzes, plans, tracks, controls, communicates, and documents risks and issues with sufficient forewarning to increase the likelihood of achieving the IT Program goals throughout the lifecycle of a program or project. This Policy defines the processes, products, and responsibilities required to implement effective risk, issue, and action item management for the IRS. 2.109.1.1.1.1 (02-28-2020) Purpose The purpose of this policy is to establish a common management process for risks, issues, and action items management plans and across IT and a common management process promotes early identification and timely resolution of risks, issues, and action items when warranted. 2.109.1.1.1.2 (02-28-2020) Scope The scope of this policy applies to all projects and programs in IT. 2.109.1.1.2 (02-28-2020) Authority Strategy and Planning, Business Planning and Risk Management, Enterprise Life Cycle Office is responsible for the development, implementation, and maintenance, of this policy. Approval of this policy, including updates, rests with the Director of Business Planning and Risk Management. All proposed changes to this policy must be submitted to Strategy and Planning, Business Planning and Risk Management, Enterprise Life Cycle Office. 2.109.1.1.3 (02-28-2020) Mandate The following mandates apply across IT programs/projects: All IT projects, shall record and maintain risks and issues, in the Item Tracking Reporting and Control (ITRAC) repository with the exception of Cybersecurity, which shall record and maintain all IT risks and issues in Archer. ITRAC serves as the authoritative source of IT projects’ Risk information at Internal Revenue Service. All IT programs and projects shall inventory and document risks, issues and action items. For the purposes of this policy, action item data is limited to action items resulting from program level management meetings, including IT Executive Steering Committees and IT Governance Boards. All IT projects, contractors, and stakeholders shall participate jointly and cooperatively in a common management process for risks, issues and action items. All item management activities shall be planned and managed in accordance with applicable laws, regulations, IRS policies, and approved processes, and procedures. Strategy and Planning shall support the risk management processes used by the projects as a continuous and integral component of the solution life cycle across the IT portfolio. IT suppliers and contractors shall implement item management and contingency planning processes and procedures that comply with the requirements in this policy and are in accordance with the terms and scope of their contracts and agreements. Strategy and Planning shall conduct periodic reviews of risks and issues within the ITRAC repository to ensure that the information is appropriate, current, complete, and accurate. Each Program Management Office (PMO), or equivalent function, shall ensure that IT programs and projects within their organizations, develop, implement, and maintain risk and contingency management plans in accordance with approved processes and procedures. Each PMO, or equivalent function, shall ensure that all metrics for their organizations are collected to determine the effectiveness of the item and contingency management activities. Each PMO, or equivalent function, shall ensure that items belonging to their organizations, whose impacts could significantly affect the success of IT programs and projects, are escalated to the appropriate management level where they can be successfully resolved. More Internal Revenue Manual
