2.173.2 IT Governance Procedures 2.173.2.1 Program Scope and Objective 2.173.2.1.1 Background 2.173.2.1.2 Authority 2.173.2.1.3 Roles and Responsibilities 2.173.2.1.4 Program Management and Review 2.173.2.1.5 Program Controls 2.173.2.1.6 Terms/Acronyms 2.173.2.1.7 Related Resources 2.173.2.2 IT Governance Procedures 2.173.2.2.1 Starting an IT Governance board 2.173.2.2.2 Meeting Frequency 2.173.2.2.3 Meeting Artifacts 2.173.2.2.4 Annual Governance Self-Assessment 2.173.2.2.5 Annual Membership Review 2.173.2.2.6 Annual Charter Review 2.173.2.2.7 Enterprise Health Assessment 2.173.2.2.8 Decommissioning a Governance board Part 2. Information Technology Chapter 173. IT Program Governance Section 2. IT Governance Procedures 2.173.2 IT Governance Procedures Manual Transmittal February 12, 2024 Purpose (1) This transmits revised IRM 2.173.2, IT Governance, IT Governance Procedures Material Changes (1) IRM 2.173.2, Updated to include all Internal Controls and reorganized related subsections. (2) IRM 2.173.2, Minor editorial changes to include plain language, correct broken links, updated authority and organizational terms to increase clarity. (3) IRM 2.173.2.1, Original Section 2.173.2.1.1.3 - Objective, realigned to Programs Scope and Objectives as paragraph 2 for internal Controls format. (4) IRM 2.173.2.1, Original section 2.173.2.1.1.2 - Goal, realigned to Programs Scope and Objectives as paragraph 7 for internal Controls format (5) IRM 2.173.2.1.1, Original Section 2.173.2.2, realigned for Internal Controls format. (6) IRM 2.173.2.2.3, Section renamed from Meeting Minutes to Meeting Artifacts which includes a reference to follow the IRS General Records Schedules. (7) IRM 2.173.2.2.5, New section added, Annual Membership Review Effect on Other Documents IRM 2.173.2 dated January 28, 2022, is superseded. Audience IRS IT employees and contractors who support reporting and oversight activities of IT programs, projects, and portfolios. Effective Date (02-12-2024) Rajiv Uppal Chief Information Officer 2.173.2.1 (02-12-2024) Program Scope and Objective This IRM section provides policy and procedures to support, promote and execute effective IT governance. Purpose: The purpose of this IRM is to establish the processes and procedures for IT governance. IT governance provides a framework of accountability, transparency, and decision-making on the IRS IT investment portfolio. Audience: IRS IT employees and contractors who support reporting and oversight activities of IT programs, projects, and portfolios. Policy Owner: IRS IT, Strategy and Planning Program Owner: IRS IT, Strategy and Planning, Investment and Portfolio Control and Oversight (IPCO), Investment and Portfolio Governance (IPG) Primary Stakeholders: All IRS IT organizations and business units. Program Goals: The goal is to outline the processes and procedures of IT governance in providing effective oversight and decision-making on IRS IT programs, projects, and portfolio investments. 2.173.2.1.1 (10-04-2019) Background IT Governance is a subset of the broader IRS Governance ecosystem that provides a decision-making and oversight framework for the execution and delivery of IT investments, programs, and projects. This IRM outlines the procedures for starting an IT governance board, establishing meeting frequency, maintaining meeting artifacts and decisions, the annual self-assessment process and the health assessment process. 2.173.2.1.2 (01-28-2022) Authority Authority for this IRM includes: Federal Information Technology Acquisition Reform Act (FITARA) OMB Circular No. A-130, Managing Information as a Strategic Resource OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget Treasury Directive 81-01, Treasury Information Technology (IT) Programs Additional sources of authority can be viewed on the IPG SharePoint site 2.173.2.1.3 (02-12-2024) Roles and Responsibilities See the table below for a description of the boards: Board Type Description Executive Steering Committee (ESC) ESCs are top-level governance boards sponsored by the Deputy Commissioners and chaired by IRS senior leadership. ESCs sponsor GBs and receive reports from them. ESCs may make key IT Governance decisions or delegate them down to a GB or Advisory Board. Governance Board (GB) GBs are sponsored by and report to an ESC. There are two kinds of governance boards: Organizational: Portfolio is worked and managed in the sponsoring organization (e.g., Enterprise Operations or Applications Development) Dedicated: Portfolio is funded from one or more investments overseen by the subject GB (e.g., Web Applications) or projects specific to an IRS function (e.g., Financial Services) Advisory Board (AB) ABs are sponsored by and report to a GB or ESC. They: Support their GB or ESC by providing Subject Matter Expertise May make governance decisions as delegated by the ESC 2.173.2.1.4 (02-12-2024) Program Management and Review Program reports are generated using data sourced from the IT portfolio management tool and referenced during IT governance board meetings to support decision making. Records are maintained for all board meeting decisions, presentations and supporting artifacts to measure the program’s effectiveness. 2.173.2.1.5 (02-12-2024) Program Controls This program uses the IRS Internal Management Documents System to establish controls. 2.173.2.1.6 (02-12-2024) Terms/Acronyms See table below for acronyms and terms: Acronyms Description AB Advisory Board ESC Executive Steering Committee FITARA Federal Information Technology Acquisition Reform Act GB Governance Board (reports to an assigned ESC) IPG Investment and Portfolio Governance MM Meeting Minutes Term Definition Escalation Escalation is the process for reporting and escalating program / project risk up from a subordinate GB to an ESC. Health Assessment (HA) Health assessments are a process used to determine the health of a project. Boards conduct health assessments of IT projects using KPIs. IT Investment A single line item of funding in the IT Portfolio. Frequently a related set of procurements, projects, programs, and operations organized around a mission, related business functionality, or an end-to-end process. IT Program A group of organizational or functionally related projects managed in a coordinated way to obtain benefits and control not available from managing them individually. IT Project An IT endeavor with a unique start and end date following a defined software development lifecycle, or an implementation schedule and has approved funding and staffing resources which can be planned, monitored, measured and controlled which directly result in a unique product for business functionality. IT Projects are undertaken for development, modernization, enhancement, disposal or maintenance and are funded from a specific investment with a Unique Investment Identifier (UII) which determines ESC alignment. Projects are assigned to a GB based on functionality and organizational alignment and are responsible for regular performance reporting. IT Portfolio A collection of IT projects, programs, and/or investments used to represent the inventory of IT work being conducted and executed throughout the service for the given fiscal year, and within the confines of the IT budget. Key Performance Indicator (KPI) Key Performance Indicators are indicators used to monitor the health of IT projects. The indicators are used to create a KPI scorecard which allows reviewers to determine the health of a project at a glance. Boards use the KPIs to conduct project health assessments. One Solution Delivery Lifecycle (OneSDLC) One Solution Delivery Lifecycle (OneSDLC), a flexible delivery model created by and for the IRS that provides guardrails for quality, compliance, and executive oversight. OneSDLC is comprised of three states, Allocation, Readiness, and Execution, with most of the work taking place in the Execution State. OneSDLC has an integrated governance process that empowers teams to deliver frequent small increments. OneSDLC requires formal compliance and governance signoffs prior to exiting each state. Signoffs will also continually occur throughout the Execution State. Performance Reviews Performance reviews are reviews conducted to ensure an IT portfolio and its projects are on target to be delivered as forecast. Boards conduct quarterly performance reviews to monitor projects and portfolio performance, ensuring timely and at cost delivery. 2.173.2.1.7 (02-12-2024) Related Resources IT governance templates, guides and information can be found on the IPG SharePoint site. Additional information on the OneSDLC process can be found by reviewing IRM 2.31.1 or by visiting the OneSDLC SharePoint site. 2.173.2.2 (10-04-2019) IT Governance Procedures This document provides IT governance policy and procedures to support, promote and execute effective IT governance. 2.173.2.2.1 (01-28-2022) Starting an IT Governance board Before starting a new board, consult the IPG team to first attempt to align your new program, project, or initiative with an existing IT governance board (GB) and Executive Steering Committee (ESC) in the IT Governance Framework. The Investment & Portfolio Governance Office will assist you in finding the best fit. If you’re considering a new Dedicated GB, the Starting a Dedicated GB worksheet will help you determine if a new GB is appropriate. If a new board is appropriate, you will need an executive sponsor and stakeholder approval to start this process. The Readiness to Govern Checksheet guides you through the process of standing up a new board. Sponsoring executives must identify a new board’s support staff. All IT GBs and ESCs must have a charter. Charters are essential for good governance to document a board’s roles and responsibilities. Before drafting a charter for a new GB, determine the type of board needed. The IT Governance Charter Guide provides a charter template for each type of governance board listed above, along with tools to walk you through the process of drafting and seeking approval for your charter. Chairs are responsible for proposing GB membership, responsibilities, and authority in the charter to approving executives. ESCs provide oversight to their subordinate GBs. ESCs review and approve subordinate GB charters and may assign objectives, responsibilities, and decisions to them as well. Determine the frequency and schedule of meetings for your new GB. To gain charter approval first share your draft charter with IPG team for input and feedback. Once the initial IPG review is competed prepare an Action Routing Sheet to request executive signature and approval of your charter. The table below describes the approving executive for each type of governance board. If the Board Type is... the Approving Executive is... ESC IRS Deputy Commissioner Organizational GB Chief Information Officer Dedicated GB Executive Steering Committee 2.173.2.2.2 (10-04-2019) Meeting Frequency Governance boards are responsible for establishing and maintaining a meeting schedule that supports effective governance and oversight. A board must be decommissioned if it no longer meets. Complete the decommission template and email a copy to *IT Program Governance Office when shutting down a governance board. 2.173.2.2.3 (02-12-2024) Meeting Artifacts Governance boards are responsible for: Documenting meeting minutes (MM) Tracking action items in the MM Routing and sharing the MM with the presenters, chairs and voting members for review, comment, and approval. Retaining historical artifacts in alignment with the IRS General Records Schedules. 2.173.2.2.4 (01-28-2022) Annual Governance Self-Assessment GB Leads are responsible for completing and returning an annual self-assessment survey of their board’s operations. Step Actions 1 IPG emails the self-assessment survey to all GB Leads. 2 GB Lead submits the online survey to IPG by the deadline given. 3 IPG uses the survey to: Collect and respond to GB feedback Improve IT governance tools and templates Identify training needs Provide a report on the current state of IT Governance If you identify gaps in your GBs operations while completing the survey, determine how to close those gaps: IPG can assist with IT Governance training and resources. Some gaps must be raised to GB leadership to resolve. For example, if you determine the GB needs to expand voting membership based on your portfolio, that’s an issue to raise to the Chair(s). 2.173.2.2.5 (02-12-2024) Annual Membership Review Governance Leads are responsible for reviewing their board membership annually to ensure the board maintains the appropriate mix of stakeholders to effectively oversee the portfolio. 2.173.2.2.6 (01-28-2022) Annual Charter Review Governance Leads are responsible for reviewing their charters annually to see if they need updating. An update is appropriate when there are substantial changes in board roles and responsibilities. Use the: ESC Charter Addendum template for ESC Charter updates, or the GB Charter Addendum template for GB Charter updates Chairs may request, approve, and sign a charter addendum. Sometimes changes are so extensive you need to draft a new charter. The process to review and approve the new charter is the same as the process used to secure approval of the original charter. 2.173.2.2.7 (01-28-2022) Enterprise Health Assessment The IRS identifies, assesses, manages, and monitors risk through risk management. Governance provides a forum for identifying, assessing, escalating, and mitigating IT project risks. IT Portfolio performance reviews are conducted using KPIs captured within the enterprise health assessment report, generated through the performance management tool. Compliance reviews and formal governance signoffs occur following the OneSDLC IT lifecycle management process. Governance boards are required to follow the Enterprise Health Assessment process found in IRM 2.172.2, Enterprise Control Authority and Operations. 2.173.2.2.8 (01-28-2022) Decommissioning a Governance board When a GB or ESC fulfills its mission and is no longer needed, follow the steps below to decommission the board. Step Action 1 Obtain approval to decommission the board 2 Transition projects in the GB or ESC portfolio to another GB or ESC (if required) 3 Document the decommission in the owning ESC’s Meeting Minutes using the Decommission Template If a board has not met in a year, the Governance Lead should consider if the board is still needed. More Internal Revenue Manual