AG's Report on the State of IT Modernization: A Reality Check
Strategies, Challenges, and the Path Forward
Happy Tuesday, Transformation Friends. Another week, another opportunity to go Beyond the Status Quo.
This week, we're taking a detour from the series on cognitive biases to turn our attention to some news in the world of transformation and modernization within the Canadian public sector.
Recently, the Auditor General of Canada brought forward five reports to parliament, with three standing out for those of us with a keen interest in public sector evolution and service delivery:
Report 7—Modernizing Information Technology Systems: This audit examines the overall progress of the Government of Canada in modernizing IT Systems. It emphasizes the poor health of IT applications and central agencies' role in leading and supporting modernization efforts.
Report 8—The Benefits Delivery Modernization Programme: This audit examines one of the government's most ambitious service modernization initiatives to revamp how approximately $150 billion in benefits are delivered to Canadians through the critical social programs Old Age Security (OAS), Canada Pension Plan (CPP), and Employment Insurance (EI).
Report 9—Processing Applications for Permanent Residence: This audit scrutinizes the efficiency and timeliness of application processing in programs supporting permanent residency by Immigration, Refugees, and Citizenship Canada (IRCC).
Today, I’m focusing on the first of these reports on IT system modernization. It highlights important details about the government's modernization endeavours and puts the spotlight on two primary findings:
Two-thirds of government applications are in poor health, and progress on infrastructure modernization is slow.
The Treasury Board of Canada Secretariat hasn't provided enough leadership on modernization efforts.
The AG also offers five recommendations for the central agencies steering IT, digital, and service modernization. These agencies, namely the Office of the Chief Information Officer of Canada (OCIOC) within the Treasury Board Secretariat of Canada (TBS) and Shared Services Canada (SSC), have considerable responsibilities over the government's ability to modernize services and, consequently, to meet the service expectations of Canadians. These recommendations serve as a roadmap for potential improvement.
Before we start, I need to add some personal context. Full disclosure: I work within the OCIOC, overseeing some of the most significant modernization and transformation efforts. Today, I’m giving an overview of the report, and at the end, I’ll add my take on a few aspects. These insights are purely my own and don't reflect any official stance of the Government of Canada or the OCIOC on this audit.
So, with the cover-my-bases segment out of the way (to use a polite term), it’s time to grab your morning coffee, and let’s get started.
AG’s Report on Modernizing Information Technology Systems
Let’s start with what the AG's report says.
In this section, I intend to provide a summary based purely on the report's content; I haven’t added any editorial or personal insights here.
The Audit’s Context
The Government of Canada heavily depends on IT systems, some of which are decades old, to serve its citizens. These aging systems risk failing and disrupting vital services. While the need for modernization has been recognized since 1999, progress has been slow. The goal is to upgrade or replace outdated systems and embrace newer technologies like cloud solutions. The slow pace of change hampers service delivery and increases security risks, emphasizing the need for quick action.
The Audit's Focus
This audit puts the leadership efforts of OCIOC and SSC under the microscope, first evaluating the health of IT applications across the GC and then looks at progress on efforts to improve and modernize these applications.
For those who don’t know or understand the role of OCIOC and SSC and why the AG would focus on these two organizations, let me try to put that into context:
TBS is a central agency in the Government of Canada that plays a role in ensuring public funds are used efficiently, effectively, and accountably. Within TBS, the OCIOC provides leadership for the entire federal government's IT policy, service, and digital transformation. This includes setting standards, ensuring cybersecurity, and overseeing the modernization of IT systems.
SSC, on the other hand, is a relatively new department established in 2011 to consolidate and streamline the GC’s IT services. SSC serves 45 partner departments and agencies within the federal government. It’s the technology backbone for the GC that ensures that its IT infrastructure is efficient, reliable, and secure. Its responsibilities include physical assets (like network infrastructure and data centres) and being the custodian for virtual assets like cloud and “as a service” type vendor relationships.
The Audit’s Findings
Finding 1: Two-thirds of applications were in poor health, and progress on modernizing infrastructure was slow.
These IT systems are essential for delivering services to citizens. However, the AG notes that a significant portion of these systems, crucial for the smooth functioning of government services, are outdated and in poor health. This poses risks of system failures, increased operational costs, and security vulnerabilities.
Key Facts highlighted by the report:
Two-thirds of the government's IT applications were reported to be in poor health, indicating they are technically outdated, may have limited vendor support, and possess security vulnerabilities.
Over the past five years (2019-2023), there has been minimal progress in modernizing these applications. The percentage of healthy applications only rose from 33% to 38%.
The target is for 60% of applications to be healthy by 2030. However, at the current rate, only 45% would achieve this status by the target year.
Of the 1,480 mission-critical applications, 38% (or 562) were still in poor health as of 2023.
The IT system supporting the Employment Insurance program, vital for many Canadians, had not been modernized 13 years after it was identified as high risk.
As of March 2023, 65% of the approximately 4,500 applications marked for modernization had seen no progress. Consequently, 280 out of 720 data centers identified for closure remained operational.
Recommendations and Responses
The AG provided two recommendations, one for TBS and the other for SSC:
Recommendation 1: TBS should establish realistic targets and timelines for modernizing applications in poor health.
Recommendation 2: SSC should analyze the effects of operating legacy applications and infrastructure and develop a sensible approach for prioritizing modernization efforts.
Finding 2: The Treasury Board of Canada Secretariat did not provide sufficient leadership for modernizing systems.
Modernizing IT systems is complex and costly, necessitating strong leadership, oversight, and funding. TBS, in collaboration with Shared Services Canada, plays a pivotal role in guiding and supporting these modernization efforts.
Key Facts highlighted by the report:
Despite recognizing the issue of aging IT systems 24 years ago, TBS lacks a consistent strategy for modernization.
As of October 2022, a draft strategy addressing risks like system failures and resource shortages was in progress but lacked specific timelines.
SSC has developed strategies for IT modernization, but these were not coordinated with the broader needs of all departments and agencies.
The Deputy Minister Committee on Enterprise Planning and Priorities (DM CEPP) meant to advise and prioritize IT projects, has been largely ineffective and only has focused on a limited number of projects.
IT modernization is a significant challenge due to underinvestment and a lack of skilled personnel.
Data used for assessing application modernization needs was often incomplete or unverified.
TBS’s oversight of high-risk IT projects was limited.
Funding mechanisms for modernization were found to be inflexible and inadequate.
Recommendations:
The AG provided three recommendations to TBS on this finding.
Recommendation 1: TBS should develop a clear IT modernization strategy that addresses the costs of old systems, estimates modernization expenses and timelines, revisits IT prioritization governance, addresses the scarcity of skilled IT personnel, and improves senior management’s understanding of IT projects.
Recommendation 2: TBS should consult with departments to determine the resources needed to support IT projects. The AG recommends gathering accurate data on IT projects undertaken by departments, identifying high-risk IT projects, and increasing capacity to provide better oversight for these high-risk projects.
Recommendation 3: TBS should revise or develop new funding mechanisms for IT modernization that are timely, adaptable, and consider immediate and future needs, centralize funding control, and mandate regular reporting on results.
A few takeaways
Let's look at two points that stood out to me:
High-risk IT projects and increasing capacity to provide better oversight of these projects
1. Understanding High-risk Projects: It’s not only about IT
The term "IT project" is broad, and most transformation initiatives will naturally involve significant IT components. However, only using the IT aspect of a project to identify it as high-risk might be a narrow viewpoint. For instance, Report 8 highlights a modernization programme with a significant IT element but also reveals other challenges. The primary goal of these initiatives is to meet Canadians' needs and expectations: to serve Canadians better. While IT plays a crucial role in our digital age, it's a tool to achieve a broader objective, not the objective itself.
2. Prioritizing Strategy Over Capacity
The recommendation to increase capacity likely refers to adding more resources in terms of personnel and funding. While it's tempting to think that allocating more resources can solve problems, we must look deeper. We discussed the Sunk Cost Effect and the trap of continuing with something that isn’t producing the desired outcomes.
The AG’s report suggests that our approach isn’t working.
So, I think the sequence of actions is crucial here. Before ramping up resources, it's vital to have a sound strategy in place, one that we see producing the outcomes we want. Once we see the approach working, it makes sense to boost capacity. It ensures that the added resources are utilized effectively and aligned with the overarching goals. Otherwise, we might invest in something that perpetuates the status quo.
Improving senior management’s understanding of IT projects
1. The Role of the Masterbuilder
Bent Flyvbjerg emphasizes the value of experience, stating, "Experience is often aggressively marginalized." In his book How Big Things Get Done, he underscores the significance of seasoned expertise in project leadership. Flyvbjerg's primary advice for successful project leadership is to "Hire a Masterbuilder."
Reflecting on this, I wonder a little about this recommendation. Is the real challenge that we need to improve understanding? Or would this challenge be moot if, in the first place, we put these masterbuilders at the helm?
Which leads me to wonder: Do we have enough of these masterbuilders within the GC? How do we attract more, or even better, how do we nurture and develop them internally?
2. Grasping the Project, Not Just the Tech
The report doesn’t describe what "understanding" means, but it's likely not just about the intricate technicalities of IT. While senior leaders need to have a foundational grasp of IT in their initiatives, I wouldn’t say they need to delve deep into the deep technical details—in fact, sometimes this is counterproductive.
The essence of the recommendation probably leans more towards comprehending the nature of such projects. What sets an IT-heavy project apart from others? Flyvbjerg offers some insights on this front. For instance, the nature of cost and schedule risks tied to IT projects differ significantly from other projects, a topic I touched upon earlier this year.
In essence, leaders need a holistic understanding of the dynamics driving these IT projects for strategic decision-making. They don't necessarily need to dive deep into complex topics like container orchestration with Kubernetes. Instead, a broader perspective on the project's landscape is more crucial.
Wrap up
The Auditor General's report shed light on the current state of IT systems, emphasizing the need for a more strategic and coordinated approach. While the technicalities are essential, the broader objective remains to serve Canadians better.
As we wrap up today, let's ponder on a few questions:
Leadership and Strategy: What strategies and approaches might we use to be more effective at both identifying and overseeing high-risk projects?
Resource Allocation: Given the slow progress in IT modernization, how can organizations balance investing in new resources and ensuring that existing resources are utilized effectively?
Masterbuilders in the Public Sector: How can the public sector attract, nurture, and retain seasoned experts who can lead transformative projects with a blend of technical know-how and strategic vision?
Until next time, stay curious, and I’ll see you Beyond the Status Quo.