2.172.2 Enterprise Control Authority and Operations Process and Procedures

Manual Transmittal

April 22, 2021

Purpose

(1) This transmits new IRM 2.172.2, IT Enterprise Control Authority and Operations, IT Enterprise Control Authority and Operations Process and Procedures

Material Changes

(1) This is a new IRM.

Effect on Other Documents

This new IRM incorporates Interim Guidance IT-02-0319-0007, Interim Guidance on Internal Revenue Manual (IRM) 2.172 Enterprise Control Authority and Operations Directive

Audience

All IRS employees and contractors managing and performing control activities on the IT program, projects and portfolio.

Effective Date

(04-22-2021)

Nancy Sieger
Chief Information Officer

Program Scope and Objective

  1. This IRM provides Information Technology (IT) Enterprise Control Authority and Operations directives and procedures. It provides the purpose, scope, authority, mandates and responsibilities for IT Enterprise Control Authority and Operations policy.

Background

  1. The Enterprise Control Authority and Operations Directive issued April 2009, provided guidance for IT and business unit support organizations. This IRM replaces the 2009 Directive and incorporates Interim Guidance IT-02-0319-0007, Interim Guidance on Internal Revenue Manual (IRM) 2.172 Enterprise Control Authority and Operations Directive.

Procedure Description
  1. This IRM section establishes the Enterprise Control processes, procedures, and mandates for IT Enterprise Control functions.

Goal
  1. The goal is to provide IT Enterprise Control functions with IT Enterprise Control Authority and Operations Process and Procedures and to provide effective oversight and decision-making. This IRM establishes and mandates how projects and programs executing in the IT Portfolio are required to record and track progress, performance, and status information to ensure vital data for management, decision making and monitoring by governance is available.

Objective
  1. To inform and educate IT and business support organizations on the requirements of the IRS IT Enterprise Control Authority and Operations Process and Procedures.

Authority
  1. Authority for this guidance comes from:

    • IT Governance IRM, 2.172 IT Program Governance

    • Treasury Directive 81-01, Treasury Information Technology (IT) Programs

    • OMB Circular A-11

    • Assignment of Information Technology/Information Resources Management Responsibilities Memo (signed by the Treasury CIO; dated February 1, 2016)

    • H.R.1232 - Federal Information Technology Acquisition Reform Act (FITARA)

    • Applicable OMB/Treasury Circulars, Directives, and memos

Other References
  1. Other references include:

    • Internal Revenue Manual (IRM), Part 1

    • IRM 10.8.1 IT Security Policy and Guidance

    • Public Law 107-347, E-Government Act of 2002, Title III, Federal Information Security Management Act

    • Enterprise Life Cycle (ELC), IRM 2.16.1

    • Enterprise Health Assessment User Guide (released in Q2 FY 2019 – Updated November 2020)

    • Enterprise Key Performance Indicator (EKPI) Criteria Guide (released in Q2 FY 2019 – Updated November 2020)

Procedures

  1. This document establishes and mandates the following Enterprise Control Authority and Operations Process and Procedures.

Enterprise Control Procedures

  1. Enterprise control is defined as the standard and processes to support continuous monitoring, reviewing, and reporting on the execution and performance (health) of IT projects to promote successful IT portfolio management. An enterprise control organization is an entity (IT ACIO and business unit support organization) that is responsible for implementing and monitoring established control processes to facilitate the oversight of IT portfolio programs/projects within its purview. To support the overall control process, the enterprise shall maintain this IRM and the structures that are key to its execution. The control process integrates the standardization of the data and data collection across the enterprise; the generation of enterprise key performance indicators; common, familiar, and consistent report generation; and escalation processes for governance to promote successful IRS IT portfolio decision-making and management.

  2. The following enterprise control processes have been established and are maintained to satisfy the mandates of the IRM:

    • Enterprise Standard Data Set capture via the Enterprise Health Assessment (EHA)

    • Enterprise Performance Measurement (Enterprise Key Performance Indicators (EKPIs)

    • Enterprise Escalation (see IT Governance IRM 2.173)

    • Governance Structure, Operation, and Execution (see IT Governance IRM 2.173)

Enterprise Health Assessment (EHA) Process

  1. The Enterprise Health Assessment process is a standardized approach for identifying, assessing, and evaluating performance areas of IRS projects enterprise-wide. It provides the framework and data standards to analyze, report, and escalate potential performance risks and issues. As such, the EHA directive mandates that the process be conducted monthly (or as necessary as key data changes in real time). A standard data set was created to streamline, simplify, and align data capture with existing internal and external reporting. The standard data set will accommodate recurring requirements in reporting such as IT Operational Reviews, the IT Business Performance Review (BPR), monthly reporting to Treasury, and the Omnibus IT Investment Report.

  2. The standardized EKPIs for cost, schedule, scope, and risk will be applied to all program and project types equally and will provide initial indications of performance issues that may need further attention. These EKPIs will be used in enterprise level governance reports and will be shared across the enterprise; providing internal IRS transparency, and a line of sight for external entities and oversight bodies. Governance Boards and Executive Steering Committees will also incorporate the established process timing in their analysis to provide efficient use of the data for both agenda development and decision making.

  3. Each IT ACIO and business unit support organization is responsible for implementing and monitoring the established standard health assessment (HA) data and processes to facilitate the oversight of the IT portfolio items (projects and programs) within its purview.

  4. Each IT ACIO and business unit support organization should use the EHA process to:

    • record updates to the enterprise standard data set for projects and programs on a regular cadence,

    • represent a summary level of project and program activity for an indication of performance to initiate executive and governance awareness and action when necessary,

    • reflect common information through standard formats and data capture on cost, schedule, scope, and risk -- regardless of project or program type, funding, life cycle, and methodology,

    • begin discussions on project or program performance issues to assist with executive and governance decision-making.

Enterprise Performance Measurement Process (Enterprise Key Performance Indicators)

  1. IT enterprise performance management includes the use of standard enterprise key performance indicators (EKPIs) that are primarily objective and are calculated consistently for all items within the IT portfolio. The standardized EKPIs for cost, schedule, scope, and risk will be used to monitor key elements of project and program performance across the entire IT portfolio. Projects and programs report data in the EHA that, based on established enterprise criteria, will generate the four EKPIs - as well as an overall rating that reflects the worst performing of the four.

    • EKPI reporting enables IT to have a common enterprise view of project and program performance across the four key performance areas -- providing transparency across the enterprise and allowing decision makers at all levels the opportunity for awareness, as well as the ability to address potential difficulties as necessary.

    • EKPI definitions and calculations will be periodically assessed by an enterprise workgroup to ensure performance evaluation is conducted in the most effective, efficient, and meaningful manner for the potential changing needs of the IT organization.

    • EKPI potential changes (definitions and/or calculations) will be addressed by an enterprise workgroup to ensure consistency and agreement across IT before implementation.

Enterprise Thresholds and Escalation Process

  1. EKPI thresholds are established as a standard across the enterprise for ratings of cost, schedule, scope, and risk performance. Color/symbol indicators (green, yellow, red) based on these thresholds represent a standard signal of potential problems triggering identification, awareness, and investigation at the appropriate levels of management and/or governance. An IT ACIO or business unit support organization conducting first level review of their respective portfolios may determine further necessary actions based on the insights gained in that investigation – to include management or governance escalation for awareness or action required for mitigation or resolution.

  2. EKPI Indicators are automatically generated based on the data elements entered each cycle (monthly or more frequently as necessary) in the EHA. These indictors should serve as an alert system and the color/symbol indicators should not be viewed exclusively for determining action or making decisions. As determined by varying levels of governance, these indicators will be a key component of a defined escalation criteria. EKPIs will be used in recurring monthly reports or periodic live viewing for the various levels of IT portfolios throughout the IT ACIO and business unit support organizations. The format and context of the these recurring EKPI reports will create a familiar and consistent view for executives, governance boards chairs, Executive Steering Committees, and the CIO Office.

    • The control escalation process is an “early detection” process that uses the EKPI ratings to assess overall project health based on the severity of existing issues and potential risk.

    • The enterprise escalation process is used by project teams and their respective control organizations to initiate discussions, broader assessments, and potential resolution on areas of concern.

    • The escalation process helps stakeholders identify projects and programs with a real or potential concern, risk or issue. EKPIs that exceed defined thresholds indicate an area of interest to be examined and understood by various levels of management and governance. If it is determined that a project needs a higher level of management/governance intervention, the project is elevated for broader awareness, understanding, mitigation and resolution.

  3. IT ACIO and business unit support organizations, Governance Boards, and Executive Steering Committees (ESC) shall apply the following escalation criteria:

    • One full month of overall red rating requires IT ACIO or business unit support organization review and assessment to recommend escalation.

    • Two full, consecutive months of overall red rating requires Governance Board (GB) assessment to recommend escalation.

    • Three full, consecutive months of overall red rating requires a joint ESC Chair and GB consideration for escalation to the Executive Steering Committee.

  4. At any time, the owning ESC or GB has the authority to accelerate escalation. Similarly, ACIOs and Deputy ACIOs have the authority to accelerate escalation.

  5. Additional detail on escalation and governance operation can be found in the IT Governance IRM 2.173.

Enterprise Control Mandates

  1. This Directive establishes mandates for IRS IT enterprise control functions (IT ACIO and business unit support organizations). Through internal controls during the initiation, design, development, deployment, and operations of the agency’s IT systems, these mandates shall be satisfied. This Directive requires adherence to the following mandates:

    • Compliance with Federal, Treasury, and IRS Policies

    • Promulgation of enterprise-wide control processes

Compliance with Federal, Treasury, and IRS Policies

  1. The purpose of this mandate is to ensure that all IT ACIO and business unit support organizations plan, manage, and implement activities in accordance with all applicable Federal, Treasury, and IRS policies and procedures.

  2. IT ACIO and business unit support organizations must adhere to the following requirements to satisfy this mandate:

    • All projects and programs within the IRS IT portfolio shall comply with Federal (e.g., Congressional), Treasury (e.g., Treasury Inspector General for Tax Administration) and IRS regulations and policies.

    • All projects and programs within the IRS IT portfolio shall comply with established enterprise control processes and procedures.

    • IRS Heads of Office shall be responsible for ensuring that their organizations are in compliance with this Directive. This responsibility may be delegated to facilitate implementation.

Promulgation of Enterprise-Wide Control Processes

  1. The purpose of this mandate is to require the control processes which enable IT governance, portfolio review, monitoring, support, and reporting for all stakeholders. The control processes include:

    • Completion of the Enterprise Health Assessment (EHA).

    • The EKPI performance ratings resulting from the EHA process.

    • Project and portfolio health/status reviews to include assessments of cost, schedule, scope, risk and escalation guidance.

    • Baseline Change Requests (BCR) and Milestone Exit Reviews (MERs).

    • The use of project management disciplines.

  2. To satisfy this mandate, the following requirements must be adhered to:

    • IRS IT executives shall promote adherence to IRS control functions at each identified control level (ACIOs, DACIOs, and IT ACIO and business unit support organizations).

    • All items within the IRS IT portfolio shall be assigned to an IT ACIO or business unit support organization after the IT portfolio has been formally approved and funded by the portfolio process.

    • IT ACIO and business unit support organizations shall effectively execute defined control processes to promote successful implementation of the IRS IT portfolio.

    • IT ACIO and business unit support organizations shall escalate projects and programs to higher levels of authority based on defined enterprise escalation guidelines provided in the governance directives.

    • IT ACIO and business unit support organizations manage their respective project and program data collection and review processes within the required monthly cadence.

    • IT ACIO and business unit support organizations own their project and program data, as well as any proposed escalation through formal governance by Strategy and Planning (S&P).

    • S&P shall maintain an enterprise IT portfolio to enable ongoing management and monitoring of IT funded projects and programs.

    • S&P shall maintain a summary reporting form/survey (Enterprise Health Assessment) (EHA) to facilitate and enable IT governance, IT portfolio review, monitoring, support, and reporting for all stakeholders, as well as adapt to evolving data capture needs for reporting IT progress at the highest levels.

    • S&P shall maintain a central repository for the collection, analysis, and storage of project and program status information in support of the enterprise HA process (using the Oracle Primavera Portfolio Management (OPPM) tool – formerly known as ProSight and as Primavera Portfolio Management)

    • S&P shall create standard enterprise reports to serve needs of management and governance at all levels so that the data captured is represented in a clear, concise, effective, efficient, and meaningful way.

    • S&P shall maintain a process that leverages project and program status information provided by the IT ACIO and business unit support organizations to facilitate the IT governance process.

    • S&P shall continue to assess tools and processes to reduce burden and create efficiencies for data collection and reporting regarding IT progress and performance.

Enterprise Control Levels and Responsibilities

  1. The control IRM, along with the governance IRM, identifies control activities from the project level to the Executive Steering Committee (ESC) level. The enterprise control organizations (IT ACIO and business unit support organizations) are responsible for implementing and monitoring established control processes to facilitate IT governance, portfolio review, monitoring, support, and reporting.

  2. The enterprise control functions (IT ACIO and business unit support organizations) are assigned for review and monitoring based upon the control levels outlined in this section of the directive. The roles and responsibilities vary with each control level.

    • Project and Management Control Level

    • Organizational Control Level (IT ACIO and business unit support organizations)

    • Governance Board Level

    • Executive Steering Committee (ESC) Level

Project and Program Management Control Level

  1. The project and program management control level is multi-tiered, consisting of both project/program and direct line management control responsibilities.

  2. The Project Manager (PM) has responsibility for day-to-day execution of a project’s implementation. The PM also has responsibility for control processes, which include performing the following control tasks:

    • Complete Enterprise Health Assessment survey/tool (EHA) for projects and/or programs currently assigned.

    • Establish, update, and maintain project and/or program data in the enterprise standard tool to support control processes (e.g., IRS Oracle Primavera Portfolio Management (ProSight))

    • Track and report project and/or program variances and performance issues (e.g., cost, schedule, scope, risk).

    • Conduct and execute risk management activities (i.e., risk identification, analysis, and mitigation).

    • Capture and report project and program performance measures using EKPIs.

    • Participate in or conduct project control status reviews correlating to regular/monthly cadence reporting (defined by IT ACIO or business unit support organization).

    • Prepare, capture, and retain BCR decisions, and inform respective (IT ACIO and business unit support organization) of results, when applicable.

    • Prepare MER requests, including the capture and retention of Executive Steering Committee decisions.

    • Maintain annual planned and actual cost information so that a cumulative life-cycle cost is available.

  3. The management control level has the responsibility for multiple projects and programs. The PMs report directly to the appropriate management-level that has control process responsibility for their projects. To support control functions and validate checks and balances within the IT portfolio, the control management level responsibilities include:

    • Review and mitigate project and program variances and performance issues (e.g., cost, schedule, scope, risk).

    • Review and monitor project and program risk activities.

    • Escalate projects to organizational level (IT ACIO and business unit support organizations) and/or governance boards for review as necessary per enterprise governance escalation guidance.

    • Advise and provide guidance to project managers on technical, integration, budget and contracting issues.

    • Monitor compliance with governance, life cycle, budget, business, technical, legislative, and security requirements.

    • Review and monitor BCRs initiated at the project control level.

    • Review and monitor MERs initiated at the project control level.

    • Review and monitor planned and actual life-cycle cost information.

Organizational Control Level

  1. The IT ACIO and business unit support organizations are responsible for monitoring all project and program status information within their assigned organizations, the performance of control and management tasks, and for the successful execution of the following control processes at the organizational level. In some cases, the organizational control level (IT ACIO and business unit support organizations) may also serve as the management level for projects under their purview:

    • Ensure all projects and programs within the respective portfolio are participating in the required Enterprise Health Assessment (EHA) reporting process.

    • Ensure all projects and programs within the respective portfolio are assigned to the correct Investment and Unique Investment Identifier from which they are receiving IT funding for the given fiscal year per the FMS Control Chart listing - as required by the Enterprise Health Assessment reporting process.

    • Identify one to two representatives from the organization to act in a portfolio manager role for the respective IT ACIO or business unit support organization portfolio within the tool - with knowledge and acting authority to identify necessary changes to the inventory of projects and programs - to properly reflect current inventory of funded IT work to maintain the overall integrity of the IT Portfolio.

    • Review and analyze the project and program variances and performance issues (e.g., cost, schedule, scope, risk) within the respective portfolio on a regular cadence and mitigate when applicable.

    • Advise projects and programs on technical, integration, budget, and contracting issues.

    • Escalate projects and programs to appropriate governance boards or functional equivalent for control review per enterprise escalation guidance.

    • Escalate projects and programs to appropriate executive governance boards for exception review per enterprise escalation guidance.

    • Track and monitor compliance with governance, life cycle, budget, business, technical, legislative, and security requirements.

    • Track and monitor BCRs prepared at the project/management control level, when applicable.

    • Track and monitor MERs prepared at the project/management control level, when applicable.

    • Review and monitor planned and actual life-cycle cost information.

    • Review and monitor planned and actual schedule information

Governance Board (GB) Level

  1. Ensure all projects and programs within the respective portfolio are participating in required Enterprise Health Assessment reporting process.

  2. Monitor the IT portfolio projects and programs through the enterprise key performance indicators generated by the enterprise health assessment including cost, schedule, scope, and risk.

  3. Approve cost, schedule, and scope plans for given fiscal year for projects and programs within respective portfolio - addressing any requests for re-baselining due to unforeseen circumstances throughout the year - approving cost, schedule, scope baseline changes (BCRs) or escalate to IT ESCs as necessary.

  4. Act to address variances and risks that are within the specific control and authority of the Governance Boards and escalate those items which need a higher-level of remediation to IT Executive Steering Committees (ESC).

  5. Continually assess risk on a regular cadence within respective portfolios to identify new risks, ensure mitigations for known risks are monitored, and to escalate those risks which need ESC awareness or intervention.

Executive Steering Committee (ESC) Level

  1. ESCs shall:

    • Oversee portfolio risk and performance

    • Resolve escalated risks

    • Recommend annual IT portfolio to the Senior Executive Team (SET)

    • Sponsor governance boards as needed

    • Delegate some governance decisions down to a governance board as appropriate

Waivers and Deviations

  1. There are no waivers or deviations from the mandates identified in the Procedural Changes Section of this document.