Getting in Line

Most agencies (and companies) still don't align information technology with business strategies, but the Nuclear Regulatory Commission has started to.

In Steven Spielberg's 2002 science fiction film Minority Report, police chief John Anderton (played by Tom Cruise) stands before a giant glowing wall of computer screens and uses his hands to nimbly manipulate a vast repository of electronic data. The system speedily rearranges the results of queries Anderton makes about criminals, based on the nature of his requests. As he drills deep into the database, Anderton is able to grab, drag and drop interactive components of his search into a comprehensive suspect dossier. The research is fast, effortless and effective. The police chief is cool, calm and collected.

This is business intelligence in 2054. Although it seems far-fetched, its framework is an indication of what tomorrow might hold. Some companies, and a handful of federal agencies, invest in technologies to advance their missions and to make the most out of the data they collect, store and share - without Hollywood superstars and a suspenseful soundtrack.

It's called IT alignment - matching technology spending to what the agency was formed to accomplish, so it can do it more efficiently. But IT alignment re-mains elusive for most agencies, and even for most companies, which have struggled to figure out exactly how to do it or to find time to do it effectively. But it can be done, as it is at the Nuclear Regulatory Commission. The agency was jerked into a harsh reality by the Sept. 11, 2001, terrorist attacks, forced to shift its mission from reducing the chance of accidental contamination to the possibility that terrorists obtaining everyday devices could use radio-active material to make dirty bombs. NRC's information technology shop and its top executives had to work quickly on a solution.

The chief information officer, the head of NRC's program to ensure the safe use of radioactive material and other agency executives worked with manufacturers of the material, states and other outside stakeholders to create the National Source Tracking System. NRC plans to turn on the system in December to track radioactive material from the point it is manufactured to its disposal in a proper facility. The NSTS will become part of the agency's core systems to meet its goal of keeping radioactive material out of the hands of terrorists.

To get there took foresight and flexibility, and it required CIO Darren B. Ash on the leadership team looking for solutions. "Having a shared, mutual goal will always help," Ash says. "What helps with alignment is having a shared goal and an agreement about the high priority and sensitivity of the work. This is for all stakeholders within the agency whose systems touch the core."

Finding a Balance

The quest for alignment begins and ends with solid IT management, Craig Symons, a vice president and principal analyst at Forrester Research, wrote in a 2005 report titled "IT and Business Alignment: Are We There Yet?" Alignment "is a byproduct of strong IT governance structures and processes that have matured to the point of being part of an organization's culture," he said. "More importantly, alignment must be monitored and measured, and management must be held accountable for results."

A metric some use is the percentage of the agency's IT budget spent on initiatives compared with how much of it funds the status quo, also known as "sustaining the business," Symons wrote. Research by Forrester and other analytical firms has demonstrated that on average, companies spend only 30 percent of their IT budget on initiatives, while best-of-class firms - those that lead their business sectors - spend as much as 50 percent.

A 2007 Forrester report,"Debunking Alignment Nirvana," by former vice president and principal analyst Laurie Orlov, warned that achieving 100 percent alignment will no longer be possible, if it ever was, as firms evolve during the next five years toward business technology - the kind that specifically drives results. "IT business alignment will be replaced with BT synchronization - a continuous balancing of an enterprise level of focus, a networked balance of supply, and a change agent role in the business strategy and processes of the enterprise," wrote Orlov, who is now a consultant. "Today's CIOs should calibrate their current status and work with their CEOs to achieve BT synchronization."

All this might sound obvious and be something that every organization should be doing. But few are. Only 15 percent of senior IT executives said they have fully aligned their IT investments with the core business, according to a Forrester survey. Respondents ranked themselves a 3.7 on a scale of 1 to 5, with 5 being fully aligned.

Orlov concluded that CIOs are perpetually insecure about their degree of alignment because of a high demand for response to business needs. They find themselves in an IT tug of war over the small percentage of resources available for new work, she wrote. Deciding what to focus on - operations, maintenance requests or driving business process change - is another dilemma, as is the quicker pace of change outside IT. "People are not clueless about [alignment]," she said. "They simply cannot flex IT resources quickly enough to match the demand across all parts of an enterprise."

Post-9/11 Needs

For many federal agencies, Sept. 11 presented a huge change in direction. One of those agencies was NRC, which was able to quickly shift its IT spending priorities to align it with a new strategy - keeping radioactive material from falling into terrorists' hands.

The agency's mission is to regulate the use of radioactive material for beneficial purposes while ensuring that people and the environment are protected from radiation hazards. Before terrorists flew jetliners into the World Trade Center and the Pentagon, the commission focused on industrial security, ensuring that materials did not inadvertently get into the wrong hands and cause damage.

Several incidents in the 1980s and 1990s showed the importance of that job. In Goiânia, a city in central Brazil, children playing in an abandoned health clinic found a medical device containing caesium-137. They took apart the device to get at the radioactive material, which emitted a blue glow (as well as gamma radiation). Nearly two dozen residents were sickened and four died. In another incident, nuclear material was mistakenly dumped in a scrap yard and the radiation ruined a machine that recycles metal, known as a smelter.

Occasions like these prompted the International Atomic Energy Agency to establish principles creating registries for radioactive isotopes, which play an important role in the development of medical and health technologies. They are found in everything from cancer screening tools to diagnostics for heart disease. The United States was a key player in developing a code of conduct. But then Sept. 11 occurred, and NRC's focus changed from inadvertent slip-ups to making sure terrorists didn't steal radio-active material to make dirty bombs.

Within a matter of months, NRC started to shift its strategy from containing isolated incidents of contamination to the unthinkable - a terrorist obtaining radioactive isotopes from everyday products. Within a few weeks, the agency shut down its Web site to rethink what information to post and how its mission could change.

It took years for Congress to catch up to what NRC executives had been thinking. In 2005, the Hill passed the Energy Policy Act, which required NRC to establish a Web-based system to register sources of isotopes that present the greatest risks, known as Category 1 and Category 2 materials, such as those used in weapons grade uranium and plutonium.

IT's Answer

Long before the legislation passed, NRC was hard at work on a solution, according to CIO Ash and Terrence Reis, deputy director for the division of materials safety and state agreements. The two are at the helm of the National Source Tracking System, a pioneering project when it was conceived. Companies that make and use products containing radio-active material (known as licensees) will use NSTS to report how much they manufacture, when a company receives the products, when the used material is sent to a waste site, and when the site receives that material.

By closely monitoring radioactive material, NRC can keep tabs on where it is, what it is being used for and who has access to it. Lockheed Martin Corp., the contractor building the system, is putting the finishing touches on the catalog, and officials hope to flip the switch on in December.

Access to the NSTS will be limited and controlled by the use of smart cards. The data will not be available to the public, and the government will protect the information under the security designation "Sensitive." Manufacturers and users of devices containing radioactive material will have access to information only at their facilities. They are required to report their inventories of material to the NSTS by Jan. 31, 2009. "Our goal is to have a system that is near real-time, that's secure enough and robust enough that it can be updated regularly by us and by licensees," Ash says.

NRC administrators have no way of knowing how many companies will use the tracking system until the program launches. There are more than 1,200 licensees, and the agency expects each to have one or more staff members credentialed and outfitted with access cards. NRC has contracted with a company to train users nationwide.

Two complementary programs under development - a Web-based licensing system and a license verification system - will work in concert with NSTS. Ultimately, NRC will be able to query NSTS to determine the amount of radioactive material on a company's books and then query the license verification database to find out whether the company is allowed to have that material. "Pairing those will give you an answer as to whether a transaction is an appropriate trans-action," Ash says.

NRC designed the system so data can be easily shared, extracted and manipulated, Reis says. But IT solutions are only part of what he views as a much larger mission to improve security for Category 1 and Category 2 sources. "We've also required increased physical controls, fingerprinting and background checks of individuals who have access to material," he says. "It's a much-changed landscape than it was a few years ago."

Officials will launch version 1.0 of NSTS, but plans already are in the works to expand it and incorporate Web 2.0 capabilities. The next-generation NSTS, for example, would provide regulators with immediate feedback if data in the system is flawed, according to Ash and Reis. "We won't have to go into the system and examine the content manually to know if a transaction is appropriate," Reis says. Version 2.0 also will include other players in the business of securing the nation, such as the Homeland Security Department. The updated tracking system is expected to be finished in 2010, he says.

Making It Work

Consultants who specialize in aligning IT with the mission say a key component is top executives who will collaborate frequently on how to meet the organization's strategic goals and remain flexible. Orlov advises her clients to follow four general principles to jump-start IT alignment:

• Ensure that the chief information officer sits with the top governing team of an organization.

• Maintain good relationships with peers and consider their issues and concerns

• Allocate a portion of the IT budget to flexibility, so top priority requests at least can be evaluated.

• Separate ongoing operational IT work from peer-focused business change, and put someone in charge of day-to-day systems maintenance, and management of infrastructure and call centers.

Orlov points out that IT alignment in government is no different than the approach in business. The degree of alignment depends on frequent communication among top executives and the ability to react to strategic change, particularly in the IT shop.

Ash, Reis and NRC's other top officials did most of what Orlov prescribed. Because NSTS was so central to the mission, it had to involve numerous executives inside and outside the agency. "The earlier you can start building consensual agreements and a consensual framework, the better," Reis says. The CIO had direct access to executives overseeing NRC's primary functions. Representatives from four offices with expertise in radioactive material safety, contracts, computer security and legal issues have been part of the discussions and deployment of the system.

Leadership meetings were held weekly; project level meetings were held more frequently. Executives briefed NRC about the NSTS annually, and additional updates were provided to individual commissioners. NRC also has kept Congress informed about the project.

From the beginning, Ash and Reis recognized that NRC must work closely with federal and state agencies. To develop the requirements for NSTS, the agency formed committees and working groups to solicit the views of those that would be affected by the system. The panels included members from NRC, the Energy Department, participating states and others who would be involved in NSTS.

NRC also formed an inter-agency coordinating committee consisting of 10 federal agencies and states to provide guidance on interagency issues with development, coordination and implementation of the system. The committee approved the high-level requirements for NSTS, and it continues to meet and make recommendations for improvements. NRC gathered input from outside the agency through the rule-making process that established the regulatory requirements for reporting to the system.

Aligning IT required preparation on the micro-level, too, summed up by Ash and Reis with the adage "Look before you leap." Understanding the scope and goal of a project "at the very beginning of the process, before you start to do any heavy-duty coding," is crucial, Ash says.

The IT staff followed a phased development approach in which data processing capabilities were kept separate from security components, Ash says. Security designs and requirements were part of the overall approach from the beginning of the project, but NRC modified them along the way. "By using a module approach, we were able to effect changes without impacting previously developed code," Ash says.

Ensuring that participants and partners in the initiative worked collaboratively not only benefited the development of the tracking database it also informed NRC's overall planning process.

And that collaboration hasn't stopped. "The best example of that is we're in midst of replacing our core financial system - that's a CFO-led project, but it touches many other parts of the agency," Ash says. "It's timely because we can look back at what we've done with the NSTS and start to apply it in this instance."

Andrew Noyes is a reporter for National Journal's CongressDaily.