The More OMB Knows, The Worse It Gets

In an item posted today in his blog, “The Risk Factor,” risk management expert Bob Charette calls into question OMB's announcement yesterday that the number of IT projects on its Management Watch List had dropped 61 percent â€" in seven months. “This is truly amazing,” Charette writes. “Sixty-one percent of government IT projects on the OMB watch list, which indicates whether they are well-positioned to execute, all got better at the same time. One can only conclude that the government has found a new, secret way to manage IT project risk.”

The skepticism doesn’t stop there. In an article posted today on Government Executive’s Web site, government project management expert J. Donaldson Frame says, “When I see miracle improvements occur very quickly, I wonder whether the improvements are genuine or reflect statistical artifacts."

And Ray Bjorkland, chief knowledge officer at federal marketing research firm FedSources, wonders how IT projects get on (and presumably then come off) the Management and High Risk lists in the first place.

For the 212 IT projects that came off the Management Watch List, OMB officials said those “agencies were able to adequately address deficiencies and weaknesses identified in these 212 investments by mitigating planning deficiencies, or in some cases, providing and completing additional documentation supporting their management activities.” No word on how well the projects are meeting budget, deadlines or performance measures, which Bjorkland says are the best indications of success in oversight of technology investments.

And the reason given for more IT programs going on the High Risk List? Again, better reporting from agencies, OMB said.

Interesting, better reporting was the reason OMB gave yesterday for the doubling of the number of reported security breaches exposing personally identifiable information. “An increase in reporting isn't necessarily a bad thing,” said Karen Evans, who holds the Bush administration’s top IT executive position at OMB.

This reason given when on the same day, Microsoft reports that phishing scams had increased more than 150 percent in the first six months of 2007 and the number of malware incidents increased 500 percent. Not to mention the 90 percent increase (over nine months) in the number of cyberattacks directed at electric utilities.

It still hurts my head to try to follow this logic. The message seems to be: It's good to know how bad things are. That could be helpful, if you then used that information to develop a plan to fix the bad things. No word on that, yet.