Defense Business Systems: Further Refinements Needed to Guide the Investment Management Process
Highlights
What GAO Found
The Department of Defense (DOD) has developed a portfolio-based investment management process for its defense business systems, certified and approved a majority of its defense business systems, made key improvements to the data used to manage its business investments, and updated its transition plan to assist its efforts in complying with key provisions of section 332 of the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005 (NDAA or “the act”), as amended (10 U.S.C. § 2222). However, the department continues to face challenges in fully complying with the act's requirements, modernizing its business systems environment, and addressing GAO's prior recommendations (see table).
Table: Status of DOD's Actions Related to the Act's Requirements
Act's requirements |
Status of related DOD actions |
Establish an investment approval and accountability structure, along with an investment review process |
DOD has developed a defense business system investment management framework that reflects key aspects of capital planning and investment control best practices. However, this process is not currently aligned with DOD's budget process and does not call for the department-wide investment review board to focus its attention on more costly, complex, or risky systems, while delegating detailed reviews of other systems to lower organizational levels. |
Certify that any business system program costing more than $1 million complies with the business enterprise architecture and has undertaken appropriate business process reengineering |
DOD certified about $6.4 billion in fiscal year 2014 expenditures for 1,173 defense business systems and has improved the information it collects about business system certifications. However, while most systems were certified as complying with the act's requirements, reviews supporting these certifications need to be improved, as GAO has previously recommended. In addition, reviewing systems at differing organizational levels based on cost, complexity, risk, or other specified criteria may help address these issues. |
Develop a business enterprise architecture |
DOD has efforts under way to improve the content of its business enterprise architecture. However, the department's guidance does not require components to proactively use the information collected as part of this process to reduce duplication and overlap of business systems. |
Develop an enterprise transition plan |
DOD's enterprise transition plan and related documentation include most of information required by the act, such as milestone information, fiscal year 2014 resource needs, and termination dates for legacy systems. Continued effort to address GAO's prior recommendations in this area will help to better inform oversight of the department's business systems investments. |
Source: GAO analysis of DOD data.
Department officials cited various reasons for the shortfalls noted above. For example, they stated that aligning the investment review process with the budgeting process takes time to coordinate. They also noted that different systems are reviewed with different levels of scrutiny based on various factors, but those factors are not documented in existing guidance. Continued progress in improving its investment management approach will allow DOD to more effectively manage the billions of dollars the department invests annually in modernizing its business systems.
Why GAO Did This Study
GAO designated DOD's multibillion-dollar business systems modernization program as high risk in 1995, and since then has provided a series of recommendations aimed at strengthening DOD's institutional approach to modernizing its business systems investments. Section 332 of the Fiscal Year 2005 NDAA requires the department to take specific actions relative to its modernization efforts and GAO to assess actions taken by DOD to comply with section 332 of the act. In evaluating DOD's compliance, GAO analyzed, among other things, investment management policies and procedures, certification actions for business system investments, and the latest versions of the department's business enterprise architecture and enterprise transition plan.
Recommendations
GAO is making three recommendations to help improve the department's business system investment management process and business enterprise architecture. DOD concurred with two recommendations and partially concurred with the third—to define criteria for reviewing business systems at appropriate levels in the department. In particular, DOD noted that systems are reviewed within components before being reviewed by the executive-level investment review board. However, until DOD ensures that investments are reviewed at an appropriate level based on defined criteria such as cost, scope, complexity, and risk, the department is at an increased risk of failing to identify and address important issues associated with large-scale and costly systems.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Defense | To help ensure that the department's business systems modernization program is fully compliant with the act and is more effectively implemented, the Secretary of Defense should direct the appropriate DOD management entity to define by when and how the department plans to align its business system certification and approval process with its Planning, Programming, Budgeting, and Execution process. |
As we reported in July 2015, DOD has taken steps to align its business system certification and approval process with its Planning, Programming, Budgeting, and Execution process. For example, according to the department?s February 2015 certification and approval guidance, Organizational Execution Plans are to include information about certification requests for the upcoming fiscal year as well as over the course of the Future Years Defense Program. All of this information is to be considered when making certification and approval decisions. In addition, the guidance states that the chair of the Defense Business Council will make programming and budgeting recommendations to the Office of Cost Assessment and Program Evaluation and the DOD Comptroller.
|
Department of Defense | To help ensure that the department's business systems modernization program is fully compliant with the act and is more effectively implemented, the Secretary of Defense should direct the appropriate DOD management entity to define criteria for reviewing defense business systems at an appropriate level in the department based on factors such as complexity, scope, cost, and risk, in support of the certification and approval process. |
The Department of Defense has addressed the recommendation. Specifically, in response to our recommendation, and consistent with updates to legislation governing defense business systems investments, in February 2017, the Department developed and issued guidance defining business system categories and associated decision authorities. For example, category I systems include defense business systems expected to have a total amount of budget authority over the period of the current Future Years Defense Program in excess of $250,000,000 and systems designated by the Deputy Chief Management Officer (DCMO) as priority based on complexity, scope, and technical risk. These systems are to be certified by the DOD DCMO unless delegated. Category II systems, are systems that are expected to cost between $50 million and $250 million. Military department category II systems are to be certified by the military department's Chief Management Officer unless delegated. Category II systems owned by other DOD component systems are to be certified by the DOD DCMO unless delegated. Category III systems are systems that are expected to cost less than $50 million over the Future Years Defense Program and are not required to be certified. By developing a tiered approach to reviewing defense business systems, the department is helping to ensure that investments are reviewed at an appropriate level based on defined criteria, thus reducing the risk of failing to identify and address important issues associated with large-scale and costly systems.
|
Department of Defense | To help ensure that the department's business systems modernization program is fully compliant with the act and is more effectively implemented, the Secretary of Defense should direct the appropriate DOD management entity to develop guidance requiring military departments and other defense organizations to use existing business enterprise architecture content to more proactively identify potential duplication and overlap. |
As we reported in July 2015, DOD has developed guidance requiring military departments and other defense organizations to use existing business enterprise architecture content to more proactively identify duplication and overlap. In particular, the department?s April 2015 business enterprise architecture compliance guidance states that examining programs for potential duplication and overlap should occur during the problem statement requirements analysis process, which is to occur early in a program?s life cycle. In addition, the department?s December 2014 problem statement requirements validation guidance calls for an enterprise architecture analysis to be conducted that is to determine if a capability already exists within the organization or elsewhere across the DOD. If a solution already exists, the problem statement sponsor is to direct that the existing solution be reused. In addition, officials from the Office of the DCMO demonstrated that its new Integrated Business Framework-Data Alignment Portal tool can be leveraged to identify potentially duplicative systems based on business enterprise architecture compliance information that has been entered into the system.
|