Business Process Analysis Consulting Workshop
Work Session #1 Meeting Notes
12/10/2007 Attendees: Gerry Woock, Lorie Campbell, Sean McSpaden, Darren
8:00 AM – 12:00 PM Wellington, Ed Arabas, Virginia Alster, Matt Matson, Teri Watanabe
DOR Room 467
Information Resource Request (IRR) Business Process Analysis
IRR Workshop Considerations
• These workshop sessions are not “once and for all” discussions. We will focus on interim
improvements in this “version 1” reengineering effort.
• Consistent agency representation is vital.
o There may be implications for attendees who miss sessions.
Time delay as we re-cover material.
Loss of potentially valuable input.
o Agencies will try to send the same points of contact to all sessions. Agencies will
review the session outlines for each upcoming session and invite additional agency
staff to participate if needed (e.g., if other staff within the agency are more
knowledgeable about a specific portion of the IRR process).
• Timeframe is very aggressive; everyone’s participation is greatly appreciated.
• Action item (EISPD): Gather numbers on IRR submissions.
IRR Definition: A Project Request
• Request is over $75K ($ threshold for State CIO approval set within DAS Statewide Policy.
Originally set to align with DOJ legal sufficiency review and DAS SPO contract review and
delegated signature authority thresholds. DOJ threshold is set in statute. DAS SPO threshold has
changed to $150,000 within Oregon Administrative Rule).
• Defines the business problem the agency is trying to solve (i.e., the purpose of the project).
Includes reasons to pursue the project, alternatives considered, relative risks and costs of each
• Can involve a Cost/Benefit Analysis. (Note: ODOT IRRs are typically submitted after an
“Opportunity Evaluation” is conducted in alignment with ODOT’s P+ methodology. DHS has
begun to submit business cases along with the IRRs, but that practice is not universal, especially
on lower dollar projects.)
• Business Case/Cost Benefit Analysis is required at $125K or more ($ threshold is set within DAS
• EISPD/ITIP 100% review of midrange/mainframe server request (policy) – EISPD requests
review and recommendations from SDC for all SDC agencies and some non-SDC agencies
depending on the request.
• EISPD/ITIP 100% review of information security hardware, software and services – EISPD/ITIP
requests review and recommendations from Enterprise Security Office.
• EISPD/ITIP 100% review of non ESRI GIS Software – EISPD/ITIP requests review and
recommendations from the EISPD Geospatial Enterprise Office.
• Agencies typically create IRRs after the legislatively adopted budget (LAB) is approved.
• EISPD/ITIP conducts IRR review per Information Technology Investment Review/Approval Policy
– policy is designed to fulfill generally expressed oversight obligations contained within multiple
Oregon Revised Statutes (291.038 and 184.473-184.477, et.al.).
o Process has touch points with DAS State Procurement Office and DOJ Legal Sufficiency
to some lesser extent.
• DAS review of IRR is to “value add” the enterprise perspective (cross-agency) to project ideas
that are agency-specific.
Forms Factory Page 1 12/12/2007
• What are the elements of “project” cost vs. total cost of ownership (TCO)?
o Should internal development costs, and other internal staff costs be included? (Some
agencies include those costs, others do not.)
o HW/SW maintenance and support?
• Is an IRR required for maintenance/licensing renewals?
• Policy today is centered on procurement. Is this sufficient?
• Threshold limits — $75,000 and $125,000:
o Are they understood by agencies?
o Do they align with current policies, Oregon revised statutes and Oregon administrative
o Are these the appropriate limits, given the current policy and technical environment for IT
• What is the timeline for an agency to formulate an IRR?
o SDC doesn’t know currently when the agency is formulating the IRR.
Request fulfillment project currently underway – As support requests come in,
they will be tracking how long it takes from initiation to completion.
When (and should) the SDC be involved in IRR review?
o EISPD also doesn’t know currently when an agency is formulating an IRR.
o Agency creates project timeline after LAB.
Opportunity to evaluate project timelines and phasing to better plan for EISPD
and SDC involvement.
Opportunity to better manage the business impacts on agencies and DAS
through early involvement.
Opportunity to better plan the process of developing the agency business case,
SDC support request and IRR development.
• Does the QA policy align and integrate well with IRR policy? (future)
o Business case requirements?
o IRR requirements?
o Do agencies understand Quality Assurance requirements?
o Are the $ thresholds for QA understood by agencies?
o $5 million required
o Project cost exceeds $1 and meets other criteria listed within the policy
o <$1 M – Discretion of DAS EISPD/ITIP – QA program – depends on risk and other
What does an agency do once it determines an IRR is needed?
• Variation by agency – size, skill set, personnel expertise.
o Project size may determine process (disparate processes):
Small projects — Agency PMO determines.
Large projects — More formal review/approval process.
o Staff varies: IT staff, PMO staff, knowledge level.
Project managers — Can be outside or inside agency.
• There is not a good understanding of IRR process.
• Agency plans IRR at project initiation.
• Process memory/institutional knowledge went to SDC.
• Current process owner for IRRs within DHS is likely Office of Information Services - Strategic
Systems Initiatives (SSI).
• Within the agency, smaller projects are not likely to have a structured agency review process.
Forms Factory Page 2 12/12/2007
• Disparate processes for small and/or large projects.
o Large projects within DHS are handled outside of the normal process. Special scrutiny
and executive review and oversight applies.
• Includes IRR in total project timeline.
o Opportunity evaluation.
o Cost/benefit analysis.
o Exception is governor mandated projects.
• Although most of the projects flow through ODOT Transportation Application Development (TAD)
and are processed through the CIO’s office, the IRR process within the agency is completed
differently division by division.
• Large projects get the attention.
• Challenges with the IRR – come up with consistent process across the agency.
• Incremental level of information.
• ODOT does have business involvement in the planning of the project. Agency has an Information
Resource Management planning process that projects can be tied back to.
• Current effort underway to understand roles and responsibilities in the support request process.
o Operations managers vs. account managers
o Identify and educate
• Differentiate an information request vs. a support request.
IRR Workflow Process
• IT Investment Review and Approval (Information Resource Request – IRR) is a DAS-owned
policy and process.
• Currently, there is no guidance on project lifecycle:
o IRR is submitted by different agencies at different points in the project lifecycle. Some
agencies submit during initiation phase, some in the planning phase, some in the
execution phase just prior to procurement.
o Agency information gathering process is not defined.
o When should a consultant perform a feasibility study?
o Is a business process analysis a requirement?
o How does the policy apply?
o Are internal (agency) resources available to complete and submit the required
• Submission via:
o Hardcopies: Interagency mail.
Policy points to an unmonitored inbox – agencies that submit regularly know this
and submit directly to Sean McSpaden for processing. Not a sustainable
Policy requires signatures – process inconsistency. Need to define a process for
electronic signature/authorization if electronic submission is preferred.
o CIO vs. direct from department
Sometimes the request comes from the agency CIO’s office.
Sometimes the request comes from a division or section within the department
without the CIO’s signature.
Direct from sections/divisions can cause delays because signatures (especially
the agency CIO’s) are usually missing.
Forms Factory Page 3 12/12/2007
Request that a line/box be added to IRR form for CIO signature.
Scanned signatures are accepted.
Wet signatures primarily.
1. EISPD Analyst
2. Agency Business Owner
3. Agency Tech Manager (EISPD wants the signature of the Agency CIO or
equivalent. At times, EISPD gets an IT manager signature from a different part of
the agency – mainly in larger agencies).
• This terminology “agency technology manager” was used when the
original policy was first put in place nearly a decade ago. Most agencies
didn’t have the position/title of agency CIO at that time.
4. State CIO/state designee
o New signature lines may need to be added in the future.
1. Additional signature lines at the agency level (especially for larger agencies with
multiple levels within the organization).
2. SDC involvement/concurrence with the technical approach (for SDC in-scope
HW/SW/services) and cost estimates (for SDC in-scope services).
3. EISPD Section managers (enterprise program leaders – e.g., Enterprise Security
Office, Geospatial Enterprise Office, E-Government Program, Business
4. Other – e.g., State Controller’s division for e-commerce/financial systems.
• How does QA review impact IRR?
o Examination of this adjunct process may require a separate analysis and discussion.
• Subject Matter Expert (SME)
o 1 day – weeks
o Responsible for reviewing, responding in writing, and providing recommendations.
Infrastructure already implemented enterprise-wide (SDC, GIS, Security, e-Gov,
Align project to enterprise strategies, policies and statutory requirements, etc.
o Missing information: often financials (TCO, inflows and outflows over a planned lifecycle
– 5, 8, 10 years). Other missing information relates to agencies not addressing the core
questions posed on the form itself.
• Total IRR review/approval cycle time is currently 0 – 1½ months (estimate). Different processing
time on individual requests. Each project is in some way unique. Knowledge work is required on
each. Cycle times could be reduced by ensuring needed information is submitted the first time.
Cycle times could be reduced if SDC, e-Gov, GEO, ESO were involved in project/IRR
development process as appropriate PRIOR to IRR submission. If an IRR involves services these
programs provide, EISPD will ask for their review 100% of the time. If an agency hasn’t worked
with them prior to IRR submission, delays are possible.
o IRR receipt and approval dates are captured in an Access DB along with other project
o Project evolutions after IRR approval (budget, schedule, etc.) are not currently captured.
o No ability or incentive to look back (for process management, tracking of success, etc.)
• Revisions: Current process does not enable changes to be made easily.
o Current process envisions a signed IRR to be submitted. If revisions are required to the
IRR during EISPD/ITIP review process, the form that was submitted may have to be
revised and then signed again by agency management.
o Current workaround is to add additional documents or e-mails as attachments.
• Emergency IRR process — Documented process not currently in existence:
Forms Factory Page 4 12/12/2007
o Doesn’t have to be advertised to agencies, but EISPD should know the procedures to
handle emergency requests.
o “Fast track” process.
o Policy workaround.
o Define agency workaround.
o Determine effect on other projects.
• IRR close:
o There is currently no IRR follow-up process.
If project changes (budget/schedule/scope are made after IRR approval…no
defined process exists for agency update of the IRRs.
o Current process, hard copy ends up in file cabinet.
No way to search for information.
o High-level information entered into MS Access DB.
Database is not currently able to track changes to the IRR over time.
Project close information is not captured.
• Lack of knowledge (even though the process has been in place for more than a decade)
o Requirements (When does an IRR have to be submitted?)
o Changes in personnel (retirements, organizational change, etc.)
• What is the IRR disposition?
o Agencies need to know
o When was it was received?
o Who is it assigned to?
o What is the expected timeframe?
• Once an IRR is submitted, there is a lack of knowledge as to where the IRR is in process.
o Process transparency is a goal/opportunity.
o Similar to service/support requests?
o SDC determination for new requests?
o Billing during development?
o SDC rates for services?
o Ongoing rates for support/maintenance?
o SDC review process – potential for delays – process is reactive.
o SDC capacity for review and cost/quote development is unknown.
• Receive IRR at different points of lifecycles.
o Project initiation/procurement.
• Lack of or limited financial information.
• No signature.
• Incomplete information; form not filled out.
• Form is not asking for all of the right information.
• Receive incomplete business cases.
1. Cost/benefit analysis incomplete.
2. Business/technical/operational risk assessment is not done or is incomplete.
• Agency being asked to provide redundant information (IRR/Business Case and feasibility
information) – redundant to agency (internal) review and authorization process.
Forms Factory Page 5 12/12/2007
• Agency has already decided on product and performs incomplete or biased evaluation of other
• Agency has not clearly defined problem/solution.
• Agency not doing enough research:
o No thinking beyond Policy Option Package (POP) – limited inclusion of full costs or total
costs over the life of the investment.
• No or limited SDC/SME involvement prior to IRR submission
• Apparent disconnect from business side and IT side.
• Total cost of ownership not understood, included, or explored.
• IT Portfolio Management Law (ORS 184.473-184.477) – Law passed for collection of information
on IT investments (IT assets, IT projects) and rules, processes, procedures, etc. for portfolio
• Clarify IRR definition – IT Investment (amount of the procurement) vs. IT Investment re the
Project – internal or external resources (align definitions to make sure internal costs are included
in the project).
o Projects fall down by not budgeting for ongoing maintenance and support costs.
o Need to make sure IT cost benefit analysis includes ongoing costs over the life of the
o Obtain a clear picture of the total costs of the system.
• Develop clear set of instructions for IRR creation.
o Consider small, midsize and large project information needs.
o Communicate and market services via clear instructions and process for the IRR
o Define outside/inside agency projects = Federal Funding “untouchables.”
Determine where the money comes from.
But still align IRR process as enterprise-oriented need/requirement.
o Include EISPD review and input as an early milestone.
o Make interactions transparent for all involved (SDC, analysts, SMEs, SPO, etc.).
• Frontload agency (SDC, DAS EISPD Section manager, SPO/DOJ analyst/AAG assignment etc.)
evaluation/collaboration/approval for the IRR process prior to analyst sign-off to:
1. Eliminate rework.
2. Eliminate approval delays.
3. Increase customer satisfaction.
4. Increase customer involvement.
5. Add value to IRR at each step
• Provide guidance on project lifecycle:
o IRR submitted prior to project execution phase.
o Define a “best practice” information gathering process.
o Feasibility study.
o Business process analysis.
o Clarify how the policy applies.
o Identify internal (agency) resources that will be working on IRR/Business Case
• Review processes for specific types of IRRs:
Forms Factory Page 6 12/12/2007
o Achieve SDC 100% review of midrange/mainframe server request (not being utilized).
Determine criteria for review.
Have a dedicated SDC analyst team?
Discuss with business leaders.
o Achieve ESO 100% review of Security.
o Implement GEO 100% review of GIS Software – May be replaced by Enterprise GIS
Software Admin Rule (rule not yet adopted).
• Define subject matter expert (SME) involvement.
o Identify when SME involvement would add value to agency project IRR.
• Define SPO involvement.
o Identify when SPO involvement would add value to agency project IRR.
• Define information for level of review.
o Consider ability for large, medium, small agencies/projects – different levels of
information may be required.
o Match the level of review with the size and complexity of the project/request.
o Create chain-of-approval.
• Define signing authorities:
o Understand DAS signature authority.
o Understand agency delegated procurement authority from DAS SPO
o Understand Agency signature authority.
Determine process for submission from agency CIO vs. direct from dept.
o Define methods:
• Define an emergency IRR process.
• Revise IRR form:
o Agency CIO to sign IRR, other changes
• Create an IRR policy refresh process to accommodate revisions.
o Use agency tracking?
o Discuss with agencies.
o Account for time and budgetary realities vs. dated estimates.
• Potential avenue for electronic submission – partner with SDC – use of Remedy help
desk/ticketing process to initiate IRR request process.
• Define a way for agencies to determine/become aware of the disposition of an IRR at designated
points along the workflow.
• Define an IRR follow-up process.
• Poll small/midsize agencies after new IRR process is determined to identify areas where the
standard procedures may not “fit” with these agencies’ needs.
o Define project planning to procurement procedures.
o Identify gaps in expertise.
o Define use of “other agency” expertise.
Adjunct Process Documentation
• Create a business case template that accounts for varying degrees of information needed.
• Lifecycle or future costs.
• QA — Explore how QA review impacts IRR as a separate discussion.
• Status reports on projects that don’t require QA?
• Asset report, policies and procedures for inventory of assets and projects.
• Document SDC, GIS, ESO, other SME processes within the IRR workflow.
• Consider revising budget form (107BF14) to better align with agency and IRR needs.
Forms Factory Page 7 12/12/2007
• Identify when agencies plan to formulate IRRs to enable appropriate and timely SDC and EISPD
involvement in information gathering process.
• Include SDC in IRR process with touch points or project milestones.
• Determine when agencies actually submit IRRs to gauge workload.
• Identify optimum agency processes to leverage among agencies (EISPD, SDC, etc.).
o Align parallel processes where it makes sense — agency, EISPD, SDC.
• Integrate support requests (SDC) with IRR to the greatest extent possible.
o Provide SDC recommendations.
o Identify SDC processes and personnel.
• Define the SDC quote process (agencies and SDC) to ensure that SDC related cost estimates
contained within the IRR have been verified by SDC.
• Define process for agencies to work with enterprise program leaders, examples:
o ESO on security projects.
o GEO on GIS projects.
• Bring policies into the current day and age.
• Clarify State Procurement role in IRR policy.
• Clarify SDC role in IRR policy.
On-Budget Cycle – Off-Budget Cycle Discussion
March 08 May June Aug 08 Sept 08 | Dec 08 Jan–Jul 09
(even-year) (early) (late) (early) (late) | (GRB)
SDC SDC |
IT budget instructions SDC Budget LAB/Project List
published Refresh budget
(SDC & EISPD review)
IT 107BF14 form (concept)
Policy Option Package (POP) - 2-pg docs
• Current Threshold = +$500,000 (major projects reporting list)
o Exception: Governor’s Mandate
• Recommendations to BAM
• Overlap of 107BF14 and IRR
o Ongoing commitment of staff and expertise
o Desire to fix IRR within the context of budgeting process
Governor’s Recommended Budget (GRB);
Emergency board process: Off-budget cycles
Early submission agencies (May) = 4 SDC agencies
Late submission agencies (September) = 7 SDC Agencies
Most commonly missing information: Budget and SDC capacity/SDC cost estimates
Known difference in what receives legislative approval and what is actually delivered
Forms Factory Page 8 12/12/2007
Legislative Approval -------------------------------------------------------------------- Difference
Cost Benefits Schedule Deliverables @ project close
$X A, B, C, etc. | Cost = $Y with Benefits A, C, E
Forms Factory Page 9 12/12/2007