Policy

Mr. Fix-It?

California CIO J. Clark Kelso attempts to repair the state's IT governance structure.

by / February 14, 2003 0
It's been six months since J. Clark Kelso became both California's CIO and the governor's special adviser on IT, and he's had plenty to keep him busy.

He's begun laying the groundwork for a new IT governance structure in the state, attempting to fill the void left by last summer's closure of California's Department of Information Technology (DOIT). That, in part, has made it possible to formulate and implement new IT oversight and security policies. Kelso also is leading a push to retool California's approach to procurement and IT funding, although budget uncertainty has forced the state to hold off on wholesale changes.

Kelso -- a full-time, tenured law professor who teaches two classes during the spring 2003 semester at a Sacramento, Calif., law school -- may not be an obvious choice for one of the nation's most challenging public-sector IT positions. But his nomination is intriguing.

Kelso's no stranger to technology or government, having spent a number of years examining IT integration in the courts. He's also earned a reputation for fixing things that are broken.

California Attorney General Bill Lockyer and Gov. Gray Davis asked Kelso to oversee the California Department of Insurance on an interim basis several years ago, in the wake of a scandal that prompted the resignation of then-Insurance Commissioner Chuck Quackenbush.

Kelso was then selected by Davis to chair the California Earthquake Authority, which was investigated by the Bureau of State Audits in the aftermath of the Department of Insurance scandal.


Going About Governance
Perhaps the biggest challenge Kelso now faces is how to create an IT governance structure in a state that's seen its fair share of spectacularly publicized IT disasters. Partly because of those fiascos -- last year's Oracle enterprise software license scandal is most notable -- the words "technology oversight" have become almost a running joke in California.

Despite possessing no clear-cut statutory authority, Kelso managed to get the ball rolling, at the very least, and legislation codifying the reach of the state's CIO and IT oversight in general may be introduced during this year's legislative session.

"In the last four or five months, we've really begun to establish a smooth-functioning and practical IT governance structure, even though we haven't had a statute," he said. "We're very near the point now where we'll be able to talk to the Legislature about what we've accomplished, whether we think it works, and what governance structure should replace the Department of Information Technology."

Kelso said he's been busy establishing good working relationships between key parts of California's IT machinery, such as state agency CIOs, data centers, and the Department of Finance's Technology Investment Review Unit (TIRU) and Technology Oversight and Security Unit (TOSU). One payoff is a set of new policies and procedures dealing with oversight and security. Several working groups also have been created to deal expressly with particular topics, such as a security advisory group that Kelso said is helping him prepare new policies to tighten up some state security processes.

The TIRU and TOSU will play a key role in California's new IT governance structure, Kelso said.

This approach suggests the state has learned something from its experiment with DOIT. That agency's oversight responsibility was never crystal clear, and some of its oversight duties overlapped those of the Department of Finance. Clearing up that confusion is absolutely critical if "technology oversight" is to have any real credence with the Legislature, Kelso said.

"We're still going to be implementing what we're calling a 'graduated oversight program,' where, for some things, oversight is performed at the department level; for others, at the agency level; and some by the Department of Finance," he said. "The one thing that's consistent across all of those is that oversight of a project has to be performed by someone independent of the project staff.

"Even if you've got oversight within a department, you have to organize that in a way that the people doing the oversight are independent of the project staff," he said. "That covers probably half of our IT projects."


Strong in a Different Way
The role of California's CIO will change too -- a move consistent with an emerging trend away from the Cabinet-level enterprise CIO and toward a federated approach to IT governance. That shift puts more operational responsibility in the hands of individual agencies.

"The state's CIO needs to be operating mostly at a strategic level, and should not be dropping down into operational disputes or into specific procurement activities," Kelso said. "It's very easy to get pulled down into those things."

The old approach forced state CIOs to spend an inordinate amount of time scrutinizing operational details of implementations instead of setting an overall IT direction. That danger is magnified in California because of its immense size, but the issue isn't unique to the state.

"We've come to a good understanding of the roles and responsibilities the CIO should be playing, that the control agencies -- the departments of Finance and General Services and the Department of Personnel Administration -- ultimately should be playing, and then all of the service agencies," Kelso said. "In my mind, there's much greater clarity than when DOIT was around because DOIT was partly an oversight and control agency, partly an advocate for IT projects -- a conflict in roles that made it difficult for the department to really exercise the sort of strategic leadership the state requires."

Kelso said the fact that he doesn't preside over a bureaucratic empire works to his advantage. Since DOIT closed its doors, responsibility for developing IT policy in California has rested with Kelso and an assistant. When the CIO talked with Government Technology last October, the meeting took place in a law school conference room, not a state office building.

Kelso said state agencies simply don't perceive him as a threat, allowing him to create a level of trust among the many players in California IT.

"I don't have turf I'm trying to protect," he said, "and that does help."

Still, that doesn't mean a weak CIO; it means a CIO that's strong in a slightly different way. Large corporations have strong CEOs, CFOs and COOs, but those positions aren't involved in operational details -- that's what staff people do, Kelso said.

"What you want the CEO and the CIO of large corporations to be doing is -- and I don't mean to be flip about it -- that 'vision thing,'" he said. "But there's no question that it's got to be strong leadership. In a bureaucratic structure as complex as California's, the only way you get to the point where you've got a strategic plan -- where there's widespread acceptance of the direction you're setting -- is if you've got a strong leader who's got very good communication abilities, who's able to generate a sense of trust among all of the stakeholders -- many of whom have very different interests and very different job responsibilities."

To a large degree, this means that California's CIO has to be strong enough to trust state agencies to make the right decisions and also to give them sufficient power to carry out those decisions, according to Kelso.

"There has to be mutual trust," he said. "You have to develop a sense of confidence that if I do a strategic plan and I'm able to get agreement to it, at that point the Department of Finance, the Department of General Services and all of the service departments will actually implement the thing."

To that end, the control agencies, not the CIO, have a strong role to play in making sure that agency IT projects dovetail with the state's strategic IT vision. The CIO also can't take an ivory-tower approach.

"Once you do a strategic plan, you just don't retire to an office somewhere and wait for reports," he said. "You've got to be out over-communicating. You've got to be talking to agency CIOs around the state. One of the things we stopped doing for a number of months was regular CIO meetings, but we've begun a process of trying to encourage those type of group meetings."


Work Within the Reality
The landscape Kelso must negotiate offers other challenges.

California has seven independently elected constitutional officers -- more than any other state -- and a slew of independent boards and commissions. Plus state agencies, partly due to their sheer size, have historically operated with a fair degree of autonomy -- autonomy reinforced by budget-related decisions.

"I don't know that a centralized IT agency can work in California," Kelso said. "It would involve a lot of independent offices giving up, it seems to me, way too much power -- power they probably shouldn't give up. There's a reason in California why we like these independent offices. To ask those offices to throw their technology spending, projects and programs over to some centralized IT agency isn't a fruitful approach."

Kelso said discussions on IT governance between himself, the Legislature and affected agencies will include debate on who should have what power. Command and control is necessary, he said.

"You've got to have, at some point, a power to make things happen or to stop things from happening," he said. "It's an important power to have -- sometimes you have to use it, mostly it's good to have it in the background. Most of the time you're going to work things out at a lower threshold, but working things out at a lower threshold is not so much command and control as it is communication, coordination and collaboration. That's clearly the direction we're going to be heading."

Kelso said the state is seriously considering creating a small IT board modeled on the State Public Works Board (SPWB), which oversees funding for capital outlay projects and carries out various statutory control provisions relating to those projects.

Voting members of the SPWB consist of the directors of the departments of Finance, Transportation and General Services, the state controller, and the state treasurer. The SPWB also includes six nonvoting legislative advisers -- three Senators and three Assembly members.

The structure of the board is a good starting point, though it will take much discussion to create a specific structure and decide the membership of the board, Kelso said. The organization could have some oversight authority and could serve as a public sounding board for IT strategic plans.

"You don't want the state CIO to be utterly divorced from reality, so I do think it might be useful to have the board be a place where any plans the state CIO develops get vetted and approved or rejected," he said. "It should have some oversight responsibilities to look at the state's IT programs -- the oversight program at the Department of Finance, the security program, our procurement efforts -- and in very limited circumstances, the board probably needs to have some ability to reach out to individual projects and engage in oversight in that context."

Kelso also sees the board being responsible for coordinating between the state's control agencies and making sure strategic plan documents and decisions are actually implemented.

Creating a strategic plan is Kelso's job, but he carefully noted that it can't come from him alone -- such a plan is the result of an inclusive planning process.

"Ultimately, you get a decision from that board and from the departments of Finance and General Services -- the control agencies -- that this plan is implementable, that it's not pie in the sky, that it's a plan that we think the state can achieve," he said. "If you get that board and those agencies on record in support of that plan, that makes a huge difference. Staff [members] within those departments know what they're supposed to be doing."

Without a viable strategic plan, state agencies don't necessarily move in the same direction -- a danger California currently faces.

"The only thing the entire IT community can do is sort of think to themselves, 'How do I save money? Other than that, how do I respond to today's crisis?'" Kelso said. "It's impossible for Finance's staff, I think, to have a good sense of what the strategic direction for the state is. As a result, they get driven back to just sort of critical analyses of individual projects."


Important IT Improvements
Last year's Oracle situation also forced California to take a long look at IT financing and procurement.

The Department of General Services, by an executive order signed by Davis in May 2002, was directed to create a task force to review the state's contracting and procurement procedures. The task force also was asked for recommendations on statutory, regulatory or administrative changes necessary to "ensure that open and competitive bidding is utilized to the greatest extent possible" by state agencies. The task force released its final conclusions in August 2002.

One recommendation calls for California to create contracting officer positions at state departments. Kelso agreed that IT procurements could improve by giving procurement officers in departments responsibility and authority to engage in acquisitions, he said. The move would create a trained work force of procurement professionals within state agencies.

"When you ultimately get to the point where completion of training programs becomes tied to a department's delegated authority from the Department of General Services to contract -- so that the only people who will get delegations are those people who are coming through training programs, and they're the ones doing procurement -- as a de facto reality, you're creating contracting experts in departments," he said.

The state also is scrutinizing IT financing models, though there is no hard and fast timetable for IT financing overhaul or creating a centralized financing agency. Kelso said there's need for improvement in several existing financing mechanisms.

"One of the things we've learned over the past year is that sometimes when you finance an IT project, you may actually get hooked on the financing in a way that makes it very difficult to unwind the project if it needs to be unwound," he said. "I think what we're going to see first is a look at some of our more specific mechanisms of financing IT before considering any type of formal, financing agency."

Improvements to existing financing mechanisms may preclude the need for creating a separate IT financing entity or agency, he noted, and if the Legislature does pass a bill that creates an IT board, that board could assume that responsibility.


Coming Full Circle
In many respects, the future of IT governance in California comes back to the Legislature. Kelso said he hopes the introduction of new legislation to create some sort of IT entity will happen this year, and that he's talked with legislators, who agree it's an important topic that deserves attention during this legislative session.

The state has been down this road before, of course, with the 1994 legislation that created DOIT. It's no secret that lawmakers became deeply suspicious of the beast they created, just as it's no secret that DOIT gave lawmakers ample reason for that distrust.

So Kelso finds himself back at square one. He does have history on his side, in that he knows what not to propose.

"If you propose something that looks too much like you're going to take powers away, I don't think that gets passed in our Legislature," he said. "You bring out enemies from all sides who chip away, and then you end up with something that would resemble the old DOIT. I don't know that the reality of the dispersion of power has changed any from the time DOIT was created. It seems to me you've got the same basic power relationships. I don't want to go down the path that's going to repeat the history of that legislation."
Shane Peterson Associate Editor