2.172.2 Enterprise Control Authority and Operations Process and Procedures

Manual Transmittal

April 02, 2024

Purpose

(1) This transmits revised IRM 2.172.2, IT Enterprise Control Authority and Operations, IT Enterprise Control Authority and Operations Process and Procedures.

Material Changes

(1) IRM 2.172.2 - Updated, reorganized, and renumbered, to include all required internal controls and related IRM subsections.

(2) IRM 2.172.2 - Minor editorial changes to include plain language, correct broken links, update IRM 2.172.2.1, Program Scope and Objectives, and realign with required internal controls format.

(3) IRM 2.172.2.1.2 - Original Section 2.172.2.1.1.1, Procedure Description, realigned to Authority, IRM Section 2.172.2.1.2, to align with required internal controls format.

(4) IRM 2.172.2.1.3 - Original Section 2.172.2.1.1.2, Goal, realigned to Responsibilities, IRM Section 2.172.2.1.3, to align with required internal controls format.

(5) IRM 2.172.2.1.4 - Original Section 2.172.2.1.1.3, Objective, realigned to Program Management and Review, IRM Section 2.172.2.1.4, to align with required internal controls format.

(6) IRM 2.172.2.1.5 - Original Section 2.172.2.1.1.4, Authority, realigned to Program Controls, IRM Section 2.172.2.1.5, to align with required internal controls format.

(7) IRM 2.172.2.1.6 - Original Section 2.172.2.1.1.5, Other References, realigned to Terms/Acronyms/Definitions, IRM Section 2.172.2.1.6, to align with required internal controls format.

(8) IRM 2.172.2.1.7 - Related Resources Section added to align with required internal controls.

Effect on Other Documents

IRM 2.172.2 dated April 22, 2021, is superseded.

Audience

All IRS employees and contractors managing and performing control activities on the IT program, projects and portfolio.

Effective Date

(04-02-2024)


Rajiv Uppal
Chief Information Officer

Program Scope and Objectives

  1. Purpose: The purpose of IT Enterprise Control Authority and Operations IRM is to establish requirements for the enterprise control functions, including the assessment of the health (performance) of the Information Technology (IT) program and project activities throughout implementation. The benefit of ongoing monitoring of program and project performance utilizing health assessments facilitates informed decision-making and effective governance and management of the IRS Information Technology (IT) portfolio. The IRM provides the mandates, guiding principles, roles, and responsibilities for institutionalizing the IRS enterprise control processes. The mandates require stakeholders perform enterprise control activities which facilitate informed decision-making and effective management of their IRS IT portfolio investment items. IRM 2.172 focuses on governance and the enterprise health assessment with the updated enterprise standard data set. It addresses the implementation of the IT Enterprise Health Assessment (EHA), its content, purpose, and relevance in IT management and governance. The IRM includes requirements for programs and projects executing under IT governance.

  2. Audience: All IRS employees and contractors managing and performing control activities on the IT program, projects and portfolio. This Directive applies to all IT programs and projects included in the IRS IT portfolio. The IRS IT portfolio includes all IT projects and programs that develop, enhance, maintain or modernize information technology capabilities to deliver the IRS’s mission (including the IRS Integrated Modernization Business Plan).

  3. Policy Owner: IRS IT, Strategy and Planning.

  4. Program Owner: IRS IT, Strategy and Planning, Investment and Portfolio Control and Oversight (IPCO), Portfolio Management & Oversight (PMO).

  5. Primary Stakeholders: All IRS IT organizations and business units.

  6. Program Goals: The goal is to provide IT Enterprise Control functions with IT Enterprise Control Authority and Operations Process and Procedures and to provide effective oversight and decision-making. This IRM establishes and mandates how projects and programs executing in the IT Portfolio are required to record and track progress, performance, and status information to ensure vital data for management, decision making and monitoring by governance is available.

Background

  1. The Enterprise Control Authority and Operations Directive issued April 2009, provided guidance for IT ACIO and business unit support organizations. This IRM replaces the 2009 Control Directive and incorporates Interim Guidance IT-02-0319-0007, Interim Guidance on Internal Revenue Manual (IRM) 2.172 Enterprise Control Authority and Operations Directive.

Authority

  1. Authority for this guidance comes from:

    • IT Governance IRM, 2.172 IT Program Governance

    • Treasury Directive 81-01, Treasury Information Technology (IT) Programs

    • OMB Circular A-11

    • Assignment of Information Technology/Information Resources Management Responsibilities Memo (signed by the Treasury CIO; dated February 1, 2016)

    • H.R.1232 - Federal Information Technology Acquisition Reform Act (FITARA)

    • Applicable OMB/Treasury Circulars, Directives, and memos

Responsibilities

  1. This IRM establishes mandates for IRS IT enterprise control functions (IT ACIO and business unit support organizations). Through internal controls during the initiation, design, development, deployment, and operations of the agency’s IT systems, these mandates shall be satisfied. This Directive requires adherence to the following mandates:

    • Compliance with Federal, Treasury, and IRS Policies

    • Promulgation of enterprise-wide control processes

Program Management and Review

  1. The Information Technology (IT) Strategy and Planning (S&P), Investment and Portfolio Control and Oversight (SP:IPCO) division is responsible for the development, implementation, and maintenance of this IRM. All proposed changes to this document must be submitted in writing, with supporting rationale to IPCO.

Program Controls

  1. This program uses the IRS Internal Management Documents System to establish controls.

Terms/Acronyms/Definitions

  1. Below is a list of IT Terms and Definitions pertaining to this document:

    Term Definition
    IT Project An IT endeavor with a unique start and end date following a defined software development lifecycle, or an implementation schedule and has approved funding and staffing resources which can be planned, monitored, measured and controlled which directly result in a unique product for business functionality. IT Projects are undertaken for development, modernization, enhancement, disposal or maintenance and are funded from a specific investment with a Unique Investment Identifier (UII) which determines ESC alignment. Projects are assigned to a GB based on functionality and organizational alignment and are responsible for regular performance reporting.
    IT Program A group of organizational or functionally related projects managed in a coordinated way to obtain benefits and control not available from managing them individually.
    IT Portfolio A collection of IT projects, programs, and/or investments used to represent the inventory of IT work being conducted and executed throughout the service for the given fiscal year, and within the confines of the IT budget.
    IT Investment A single line item of funding in the IT Portfolio. Frequently a related set of procurements, projects, programs, and operations organized around a mission, related business functionality, or an end to end process.
    Milestones to Enter and Exit Review (MER) Milestones are used to mark project start and end dates. It can include the design phase, the deployment phase, and operations and maintenance phase. Governance Boards review and approve project milestones.
    Release A collection of changes made since the last deployment with a unique start and implementation date that may not be a formal project, but is being monitored and tracked by ACIO, Governance Board, or Executive Steering Committee. Can represent a specific segment or segments of functionality.
    Significant Activity A set of actions with a start and end date that may not be a formal project or release, but are being monitored and tracked by ACIO, Governance Board, or Executive Steering Committee.
    IT Project Health Reflects the current status of executing projects and/or programs considering key elements of management and performance such as cost, schedule, scope, and existing or potential risks. Example: Is the project developing or implementing on schedule, within a range of the planned cost, on target to implement the planned scope or capabilities, and avoiding risks or mitigating risks to a degree that allows project to continue as planned? Health can be identified through the results/scoring of the key performance indicators and can be clarified through a narrative describing the specifics of that current performance (whether positive or negative). Key performance indicators can be assessed and used to simply raise awareness or to drive action on correction before more severe impacts occur.
    Enterprise Key Performance Indicator (EKPI) EKPIs are summary calculations of data elements represented by color/value indicators used to monitor the health of IT projects and programs. The standardized EKPIs for cost, schedule, scope, and risk provide initial indications of performance issues that may need further attention. EKPIs are used at the control organization level, as well as for enterprise level governance reports shared across the enterprise; providing internal IRS transparency, and a line of sight for external entities and oversight bodies. Governance Boards and Executive Steering Committees incorporate the established EKPI process in their analysis to provide efficient use of the data for both agenda development and decision making.
    Enterprise Health Assessment (EHA) The Enterprise Health Assessment is a data entry module/form used to establish a standard, repeatable process for assessing the health of IT development, maintenance, and infrastructure projects and programs - addressing key elements of reporting for Treasury, the Omnibus IT Investment Report, the IT BPR, CIO Op Reviews and providing governance and decision-makers with an insightful, consistent, and transparent data set.
    Risk Escalation Risk escalation is a process for reporting and escalating risk. Projects and programs trending yellow and red can be escalated for attention from the project manager to a governance board and if not mitigated, to an ESC.
  2. Below is a list of IT acronyms pertaining to this document:

    Acronym Description
    ACIO Associate Chief Information Officer
    AD Applications Development
    BCR Baseline Change Request
    BPR Business Performance Review
    CIO Chief Information Officer
    DACIO Deputy Associate Chief Information Officer
    DMQA Delivery Management and Quality Assurance
    EHA Enterprise Health Assessment
    EKPI Enterprise Key Performance Indicator
    ELC Enterprise Life Cycle
    EOps Enterprise Operations
    EPC Enterprise Program Controls
    ES Enterprise Services
    ESC Executive Steering Committee
    FITARA Federal Information Technology Acquisition Reform Act
    GB Governance Board
    IPCO Investment and Portfolio Control and Oversight
    IPG Investment and Program Governance
    MER Milestone Exit Review
    OMB Office of Management and Budget (White House)
    OPPM Oracle Primavera Portfolio Management
    PM Project Manager
    PM&O Portfolio Management & Oversight
    S&P Strategy and Planning
    SP&I Service Planning and Improvement
    UNS User and Network Services

Related Resources

  1. The Strategy and Planning (S&P), Investment and Portfolio Control and Oversight (SP:IPCO) division supports the IT ACIOs and business unit support organizations with resources located on the OPPM-ProSight Library including:

    Resource Description
    Enterprise Health Assessment Navigation Tip Card PDF document containing overview information on how to navigate the main modules and operate the basic functionality features available in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. Specific steps on how to locate and begin using the Enterprise Health Assessment (EHA) in IT Enterprise Control application included.
    Enterprise Health Assessment User Guide PDF document is a step-by-step guide containing detailed information for users on how to locate, utilize, and complete the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. This guide contains both text/category definitions, as well as image examples detailing each section of the Enterprise Health Assessment (EHA) form.
    Enterprise Health Assessment KPI Criteria PDF document providing explanation and highlighting the detailed criteria calculations used to generate the Cost, Schedule, Scope and Risk EKPIs used in the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool.
    Enterprise Health Assessment Valid Key Code PDF document identifying the key set of required data elements, by location and explanation, which must be complete in order for a project and/or program to be considered “Valid” (i.e. up to date or contains current data) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool.
    Enterprise Health Assessment FAQs PDF document containing Frequently Asked Questions regarding the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool.

Procedures

  1. This document establishes and mandates the following Enterprise Control Authority and Operations Process and Procedures.

Enterprise Control Procedures

  1. Enterprise control is defined as the standard and processes to support continuous monitoring, reviewing, and reporting on the execution and performance (health) of IT projects to promote successful IT portfolio management. An enterprise control organization is an entity (IT ACIO and business unit support organization) that is responsible for implementing and monitoring established control processes to facilitate the oversight of IT portfolio programs/projects within its purview. To support the overall control process, the enterprise shall maintain this IRM and the structures that are key to its execution. The control process integrates the standardization of the data and data collection across the enterprise; the generation of enterprise key performance indicators; common, familiar, and consistent report generation; and escalation processes for governance to promote successful IRS IT portfolio decision-making and management.

  2. The following enterprise control processes have been established and are maintained to satisfy the mandates of the IRM:

    • Enterprise Standard Data Set capture via the Enterprise Health Assessment (EHA)

    • Enterprise Performance Measurement (Enterprise Key Performance Indicators (EKPIs)

    • Enterprise Escalation (see IT Governance IRM 2.173)

    • Governance Structure, Operation, and Execution (see IT Governance IRM 2.173)

Enterprise Health Assessment (EHA) Process

  1. The Enterprise Health Assessment process is a standardized approach for identifying, assessing, and evaluating performance areas of IRS projects enterprise-wide. It provides the framework and data standards to analyze, report, and escalate potential performance risks and issues. As such, the EHA directive mandates that the process be conducted monthly (or as necessary as key data changes in real time). A standard data set was created to streamline, simplify, and align data capture with existing internal and external reporting. The standard data set will accommodate recurring requirements in reporting such as IT Operational Reviews, the IT Business Performance Review (BPR), monthly reporting to Treasury, and the Omnibus IT Investment Report.

  2. The standardized EKPIs for cost, schedule, scope, and risk will be applied to all program and project types equally and will provide initial indications of performance issues that may need further attention. These EKPIs will be used in enterprise level governance reports and will be shared across the enterprise; providing internal IRS transparency, and a line of sight for external entities and oversight bodies. Governance Boards and Executive Steering Committees will also incorporate the established process timing in their analysis to provide efficient use of the data for both agenda development and decision making.

  3. Each IT ACIO and business unit support organization is responsible for implementing and monitoring the established standard health assessment (HA) data and processes to facilitate the oversight of the IT portfolio items (projects and programs) within its purview.

  4. Each IT ACIO and business unit support organization should use the EHA process to:

    • record updates to the enterprise standard data set for projects and programs on a regular cadence,

    • represent a summary level of project and program activity for an indication of performance to initiate executive and governance awareness and action when necessary,

    • reflect common information through standard formats and data capture on cost, schedule, scope, and risk -- regardless of project or program type, funding, life cycle, and methodology,

    • begin discussions on project or program performance issues to assist with executive and governance decision-making.

Enterprise Performance Measurement Process (Enterprise Key Performance Indicators)

  1. IT enterprise performance management includes the use of standard enterprise key performance indicators (EKPIs) that are primarily objective and are calculated consistently for all items within the IT portfolio. The standardized EKPIs for cost, schedule, scope, and risk will be used to monitor key elements of project and program performance across the entire IT portfolio. Projects and programs report data in the EHA that, based on established enterprise criteria, will generate the four EKPIs - as well as an overall rating that reflects the worst performing of the four.

    • EKPI reporting enables IT to have a common enterprise view of project and program performance across the four key performance areas -- providing transparency across the enterprise and allowing decision makers at all levels the opportunity for awareness, as well as the ability to address potential difficulties as necessary.

    • EKPI definitions and calculations will be periodically assessed by an enterprise workgroup to ensure performance evaluation is conducted in the most effective, efficient, and meaningful manner for the potential changing needs of the IT organization.

    • EKPI potential changes (definitions and/or calculations) will be addressed by an enterprise workgroup to ensure consistency and agreement across IT before implementation.

Enterprise Thresholds and Escalation Process

  1. EKPI thresholds are established as a standard across the enterprise for ratings of cost, schedule, scope, and risk performance. Color/symbol indicators (green, yellow, red) based on these thresholds represent a standard signal of potential problems triggering identification, awareness, and investigation at the appropriate levels of management and/or governance. An IT ACIO or business unit support organization conducting first level review of their respective portfolios may determine further necessary actions based on the insights gained in that investigation – to include management or governance escalation for awareness or action required for mitigation or resolution.

  2. EKPI Indicators are automatically generated based on the data elements entered each cycle (monthly or more frequently as necessary) in the EHA. These indictors should serve as an alert system and the color/symbol indicators should not be viewed exclusively for determining action or making decisions. As determined by varying levels of governance, these indicators will be a key component of a defined escalation criteria. EKPIs will be used in recurring monthly reports or periodic live viewing for the various levels of IT portfolios throughout the IT ACIO and business unit support organizations. The format and context of these recurring EKPI reports will create a familiar and consistent view for executives, governance boards chairs, Executive Steering Committees, and the CIO Office.

    • The control escalation process is an “early detection” process that uses the EKPI ratings to assess overall project health based on the severity of existing issues and potential risk.

    • The enterprise escalation process is used by project teams and their respective control organizations to initiate discussions, broader assessments, and potential resolution on areas of concern.

    • The escalation process helps stakeholders identify projects and programs with a real or potential concern, risk, or issue. EKPIs that exceed defined thresholds indicate an area of interest to be examined and understood by various levels of management and governance. If it is determined that a project needs a higher level of management/governance intervention, the project is elevated for broader awareness, understanding, mitigation and resolution.

  3. IT ACIO and business unit support organizations, Governance Boards, and Executive Steering Committees (ESC) shall apply the following escalation criteria:

    • One full month of overall red rating requires IT ACIO or business unit support organization review and assessment to recommend escalation.

    • Two full, consecutive months of overall red rating requires Governance Board (GB) assessment to recommend escalation.

    • Three full, consecutive months of overall red rating requires a joint ESC Chair and GB consideration for escalation to the Executive Steering Committee.

  4. At any time, the owning ESC or GB has the authority to accelerate escalation. Similarly, ACIOs and Deputy ACIOs have the authority to accelerate escalation.

  5. Additional detail on escalation and governance operation can be found in the IT Governance IRM 2.173.

Enterprise Control Mandates

  1. This Directive establishes mandates for IRS IT enterprise control functions (IT ACIO and business unit support organizations). Through internal controls during the initiation, design, development, deployment, and operations of the agency’s IT systems, these mandates shall be satisfied. This Directive requires adherence to the following mandates:

    • Compliance with Federal, Treasury, and IRS Policies

    • Promulgation of enterprise-wide control processes

Compliance with Federal, Treasury, and IRS Policies

  1. The purpose of this mandate is to ensure that all IT ACIO and business unit support organizations plan, manage, and implement activities in accordance with all applicable Federal, Treasury, and IRS policies and procedures.

  2. IT ACIO and business unit support organizations must adhere to the following requirements to satisfy this mandate:

    • All projects and programs within the IRS IT portfolio shall comply with Federal (e.g., Congressional), Treasury (e.g., Treasury Inspector General for Tax Administration) and IRS regulations and policies.

    • All projects and programs within the IRS IT portfolio shall comply with established enterprise control processes and procedures.

    • IRS Heads of Office shall be responsible for ensuring that their organizations are in compliance with this Directive. This responsibility may be delegated to facilitate implementation.

Promulgation of Enterprise-Wide Control Processes

  1. The purpose of this mandate is to require the control processes which enable IT governance, portfolio review, monitoring, support, and reporting for all stakeholders. The control processes include:

    • Completion of the Enterprise Health Assessment (EHA).

    • The EKPI performance ratings resulting from the EHA process.

    • Project and portfolio health/status reviews to include assessments of cost, schedule, scope, risk and escalation guidance.

    • Baseline Change Requests (BCR) and Milestone Exit Reviews (MERs).

    • The use of project management disciplines.

  2. To satisfy this mandate, the following requirements must be adhered to:

    • IRS IT executives shall promote adherence to IRS control functions at each identified control level (ACIOs, DACIOs, and IT ACIO and business unit support organizations).

    • All items within the IRS IT portfolio shall be assigned to an IT ACIO or business unit support organization after the IT portfolio has been formally approved and funded by the portfolio process.

    • IT ACIO and business unit support organizations shall effectively execute defined control processes to promote successful implementation of the IRS IT portfolio.

    • IT ACIO and business unit support organizations shall escalate projects and programs to higher levels of authority based on defined enterprise escalation guidelines provided in the governance directives.

    • IT ACIO and business unit support organizations manage their respective project and program data collection and review processes within the required monthly cadence.

    • IT ACIO and business unit support organizations own their project and program data, as well as any proposed escalation through formal governance by Strategy and Planning (S&P).

    • S&P shall maintain an enterprise IT portfolio to enable ongoing management and monitoring of IT funded projects and programs.

    • S&P shall maintain a summary reporting form/survey (Enterprise Health Assessment) (EHA) to facilitate and enable IT governance, IT portfolio review, monitoring, support, and reporting for all stakeholders, as well as adapt to evolving data capture needs for reporting IT progress at the highest levels.

    • S&P shall maintain a central repository for the collection, analysis, and storage of project and program status information in support of the enterprise HA process (using the Oracle Primavera Portfolio Management (OPPM) tool – formerly known as ProSight and as Primavera Portfolio Management)

    • S&P shall create standard enterprise reports to serve needs of management and governance at all levels so that the data captured is represented in a clear, concise, effective, efficient, and meaningful way.

    • S&P shall maintain a process that leverages project and program status information provided by the IT ACIO and business unit support organizations to facilitate the IT governance process.

    • S&P shall continue to assess tools and processes to reduce burden and create efficiencies for data collection and reporting regarding IT progress and performance.

Enterprise Control Levels and Responsibilities

  1. The control IRM, along with the governance IRM, identifies control activities from the project level to the Executive Steering Committee (ESC) level. The enterprise control organizations (IT ACIO and business unit support organizations) are responsible for implementing and monitoring established control processes to facilitate IT governance, portfolio review, monitoring, support, and reporting.

  2. The enterprise control functions (IT ACIO and business unit support organizations) are assigned for review and monitoring based upon the control levels outlined in this section of the directive. The roles and responsibilities vary with each control level.

    • Project and Management Control Level

    • Organizational Control Level (IT ACIO and business unit support organizations)

    • Governance Board Level

    • Executive Steering Committee (ESC) Level

Project and Program Management Control Level

  1. The project and program management control level is multi-tiered, consisting of both project/program and direct line management control responsibilities.

  2. The Project Manager (PM) has responsibility for day-to-day execution of a project’s implementation. The PM also has responsibility for control processes, which include performing the following control tasks:

    • Complete Enterprise Health Assessment survey/tool (EHA) for projects and/or programs currently assigned.

    • Establish, update, and maintain project and/or program data in the enterprise standard tool to support control processes (e.g., IRS Oracle Primavera Portfolio Management (ProSight))

    • Track and report project and/or program variances and performance issues (e.g., cost, schedule, scope, risk).

    • Conduct and execute risk management activities (i.e., risk identification, analysis, and mitigation).

    • Capture and report project and program performance measures using EKPIs.

    • Participate in or conduct project control status reviews correlating to regular/monthly cadence reporting (defined by IT ACIO or business unit support organization).

    • Prepare, capture, and retain BCR decisions, and inform respective (IT ACIO and business unit support organization) of results, when applicable.

    • Prepare MER requests, including the capture and retention of Executive Steering Committee decisions.

    • Maintain annual planned and actual cost information so that a cumulative life-cycle cost is available.

  3. The management control level has the responsibility for multiple projects and programs. The PMs report directly to the appropriate management-level that has control process responsibility for their projects. To support control functions and validate checks and balances within the IT portfolio, the control management level responsibilities include:

    • Review and mitigate project and program variances and performance issues (e.g., cost, schedule, scope, risk).

    • Review and monitor project and program risk activities.

    • Escalate projects to organizational level (IT ACIO and business unit support organizations) and/or governance boards for review as necessary per enterprise governance escalation guidance.

    • Advise and provide guidance to project managers on technical, integration, budget and contracting issues.

    • Monitor compliance with governance, life cycle, budget, business, technical, legislative, and security requirements.

    • Review and monitor BCRs initiated at the project control level.

    • Review and monitor MERs initiated at the project control level.

    • Review and monitor planned and actual life-cycle cost information.

Organizational Control Level

  1. The IT ACIO and business unit support organizations are responsible for monitoring all project and program status information within their assigned organizations, the performance of control and management tasks, and for the successful execution of the following control processes at the organizational level. In some cases, the organizational control level (IT ACIO and business unit support organizations) may also serve as the management level for projects under their purview:

    • Ensure all projects and programs within the respective portfolio are participating in the required Enterprise Health Assessment (EHA) reporting process.

    • Ensure all projects and programs within the respective portfolio are assigned to the correct Investment and Unique Investment Identifier from which they are receiving IT funding for the given fiscal year per the FMS Control Chart listing - as required by the Enterprise Health Assessment reporting process.

    • Identify one to two representatives from the organization to act in a portfolio manager role for the respective IT ACIO or business unit support organization portfolio within the tool - with knowledge and acting authority to identify necessary changes to the inventory of projects and programs - to properly reflect current inventory of funded IT work to maintain the overall integrity of the IT Portfolio.

    • Review and analyze the project and program variances and performance issues (e.g., cost, schedule, scope, risk) within the respective portfolio on a regular cadence and mitigate when applicable.

    • Advise projects and programs on technical, integration, budget, and contracting issues.

    • Escalate projects and programs to appropriate governance boards or functional equivalent for control review per enterprise escalation guidance.

    • Escalate projects and programs to appropriate executive governance boards for exception review per enterprise escalation guidance.

    • Track and monitor compliance with governance, life cycle, budget, business, technical, legislative, and security requirements.

    • Track and monitor BCRs prepared at the project/management control level, when applicable.

    • Track and monitor MERs prepared at the project/management control level, when applicable.

    • Review and monitor planned and actual life-cycle cost information.

    • Review and monitor planned and actual schedule information.

Governance Board (GB) Level

  1. Ensure all projects and programs within the respective portfolio are participating in required Enterprise Health Assessment reporting process.

  2. Monitor the IT portfolio projects and programs through the enterprise key performance indicators generated by the enterprise health assessment including cost, schedule, scope, and risk.

  3. Approve cost, schedule, and scope plans for given fiscal year for projects and programs within respective portfolio - addressing any requests for re-baselining due to unforeseen circumstances throughout the year - approving cost, schedule, scope baseline changes (BCRs) or escalate to IT ESCs as necessary.

  4. Act to address variances and risks that are within the specific control and authority of the Governance Boards and escalate those items which need a higher-level of remediation to IT Executive Steering Committees (ESC).

  5. Continually assess risk on a regular cadence within respective portfolios to identify new risks, ensure mitigations for known risks are monitored, and to escalate those risks which need ESC awareness or intervention.

Executive Steering Committee (ESC) Level

  1. ESCs shall:

    • Oversee portfolio risk and performance

    • Resolve escalated risks

    • Recommend annual IT portfolio to the Senior Executive Team (SET)

    • Sponsor governance boards as needed

    • Delegate some governance decisions down to a governance board as appropriate

Waivers and Deviations

  1. There are no waivers or deviations from the mandates identified in the Procedural Changes Section of this document.