As I noted last year, some seven years ago, Virginia approved the centralization of information technology services for all state agencies after an audit determined that Virginia was wasting over $100 million annually on IT project cost overruns and on unsuccessful efforts to get the different state departments’ heterogeneous and outdated IT systems to communicate with one another. The result was the creation in late 2003 of the Virginia Information Technologies Agency (VITA) to bring IT under control as well as modernize it across the state.
VITA signed a 10-year, $2 billion IT outsourcing contract with Northrop Grumman in 2005, which at the time Virginia’s State Comptroller said carried “significant risk,” a statement the state’s CIO did not contest. But hopes back then were high, so the risks were accepted and the contract let anyway.
Late last year the Joint Legislative Audit and Review Commission released an audit report [PDF] that essentially said that the outsourcing contract’s significant risks had turned into significant problems, and that there would be no savings to the state through the initial 10-year term of the state’s $2 billion agreement with Northrop Grumman.
Those in charge of VITA said the situation was not nearly so bad as what the audit report portrayed, and that things would be getting better in 2009.
What a difference a year makes.
The latest Joint Legislative Audit and Review Commission audit briefing report [PDF], which runs to 131 slides, says that the situation is not only just as bad as last year, but probably is now worse.
For instance, Virginia State Police in Newport News lost Internet access for 78 hours in May 2009 the Department of Motor Vehicles in Bland lost network connection for 31 hours in June 2009; and Department of Environmental Quality in Roanoke lost network connection for 31 hours in May 2009. And then there was this little issue of Virginia’s Prescription Monitoring Program web site being hacked and its data being held for ransom.
Furthermore, there is little the state can do about it all since terminating the contract would cost in the range of $400 million and leave IT operations in the state in absolute chaos.
The audit makes clear that the outsourcing contract was flawed from the beginning. and from my reading of it, the audit could be used as an excellent template on how not to design an IT outsourcing contract as well as how not to select a contractor for it.
As an example, one finding in the audit report was that while everyone knew the contract carried significant risk and that the Grumman proposal even said that “it is natural for people to resist change” and therefore a “formal risk management and mitigation process is essential,” an outside evaluation of risk management on the contract found it to be “poor.”
No doubt risk mismanagement is also a reason that even though a large number of IT projects had their project schedules contractually relaxed, the revised project deadlines on the majority of them were still missed.
There are stories (here and here) in today’s Washington Post and the Richmond Times Dispatch, which provide a good overview of the audit’s findings.
Northrop Grumman says [PDF] it doesn’t agree with the audit report’s findings, and says the state is much at fault for the on-going problems as it is.
Needless to say, that has gone over like a lead balloon with state officials, especially since the head of VITA said [PDF], “I believe the [audit report] briefing accurately captures the history, progress and challenges of the modernization of Virginia’s IT infrastructure.”
The bottom-line is that Virginia will likely have to gut it out through 2015, and hope things improve at not too much extra cost. The state’s only leverage is to hold Northrop Grumman’s “reputational feet” to the fire to try to improve the situation, since the audit report also makes it very clear that for many contracted IT projects, Grumman gets paid in full whether it is late or not.
If the Virginia officials are smart, they will start now on defining the follow-on outsourcing contract, and try to have it completely vetted before 2015.
The same advice is true for Texas, Indiana and Wisconsin, who also have IT outsourcing problems of their own.
Perhaps all four states should get together to define what a realistic and risk-appropriate IT outsourcing contract looks like.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.