When Good Projects Go Bad

King County, Wash., has a well regarded IT governance model that is collaborative, countywide in scope and yet moves things forward without tripping on too many levels of decision-making. Four bodies -- the Strategic Advisory Council, the Project Review Board, the Business Management Council and the Technology Management Board -- are the governance components.

The Project Review Board (PRB) is chaired by the CIO and does advisory review and oversight of approximately 80 IT projects per year. Until 2010 its function was mainly to monitor projects to ensure they were moving forward as expected and to release or withhold funds for their continuation. The system, said King County IT Governance Manager Zlata Kauzlaric, was focused mainly on compliance with requirements such as a plan, sufficient resources allocated to project tasks, and other required project documents. If any of those were absent, the funds were not released to the project for expenditure until they were provided.

But in 2010, newly hired CIO Bill Kehoe expanded the PRB's mission to help struggling projects. He also set up a risk-assessment strategy to determine the severity of any problems and what resources would be brought to bear to help get things back on track.

Identified risks fall into three categories:

• Category one includes risks like delays of up to four weeks, missing monthly status reports or expenditures exceeding those allocated.
• Category two risks include significant changes in scope, budget, expected benefits or schedule.
• Category three includes major risks to mission-critical business as well as category two risks that escalate.

"So we review the project, and identify potential risks," said Kauzlaric. "Is this lack of planning? Is it lack of good vendor management? Is it that the project manager is not complying with project management methodologies? Are there resource issues? So when we identify those risks, we go into the process of getting everyone together to discuss, develop a risk mitigation plan and go from there."

The more severe the risk, the higher level the participants in decision making. For example, in the risk-based oversight model, at risk-level one, a meeting is called for peer support to discuss things and come up with a recommendation. At level two, the project meets with the CIO, and at level three, said Kauzlaric, the "big guns" are brought in, which can include the budget director, deputy executive or elected officials. "We would say, 'These are major risks to your business process,'" said Kauzlaric, "'This project is not going to deliver, so how are we going to mitigate it?'"

The collaborative approach is essential to the process, said Kauzlaric. "We are so connected with the business benefits we can't consider this just an IT project. Everybody has a stake in making the project successful."