Tag: Municipal Government
Municipal shared services agreements for information technology
In New York State, Governor Andrew Cuomo’s Countywide Shared Services Initiative “requires counties to assemble local governments to find efficiencies for real, recurring taxpayer savings… by coordinating and eliminating duplicative services and propose coordinated services to enhance purchasing power.”[i] New York is currently offering substantial financial incentives to municipal organizations that “create savings.”
According to a 2013 study[ii], about 8 percent of municipalities participate in IT shared services programs. Considering the financial incentives, I suspect that the percentage has increased significantly since that time.
In theory, shared services agreements among municipal entities appear to be a great deal for everyone involved, and especially for taxpayers. In reality? I am not only skeptical; I have seen the negative consequences of such agreements in the form of low-quality IT services that cost far more than similar services delivered by commercial vendors.
One possible scenario
A common scenario for shared IT services might take the form in which a county IT department becomes a service provider for cities, towns and villages in its jurisdiction. This may include email, infrastructure services, help desk services, software, printing of tax bills, break/fix services, hardware procurement and much more.
In this type of scenario, the county’s management may view such a deal as an opportunity to turn their IT operation from a cost center to a profit center. However, the differences in performance and productivity between the private and public sectors can be stark. Running a successful commercial IT services business is a tough, highly competitive undertaking that requires excellent management skills and continuous improvement.
For many municipal managers and elected officials, the one-time financial incentive may blind them to the necessity of examining the long-term consequences of such an arrangement. In other words, they will want to build the airplane in the air and the basis for the deal may be something that is not much more than a handshake deal, devoid of reality and details.
Get it right!
It is possible for a municipal shared services agreement to be successful, but success won’t be accidental. If you are involved in negotiating such an agreement, I provide the following suggestions to ensure that you make the best deal possible.
Use rigorous procurement methodology
A shared services agreement should be treated exactly the same as a deal with a commercial vendor. A few examples of documentation required for the evaluation should include the following:
- Service level requirements. This is a document that precisely defines your requirements. Before entering into any service agreements with outside agencies, your organization should thoroughly understand and document your business needs, goals and objectives.
- Service level agreement. This agreement is an essential part of any professional services contract. It defines requirements, responsibilities and accountability and includes financial penalties if the provider fails to meet agreed-upon service level targets.
- Catalog of services. What is the universe of services offered by your service provider? How much does each service cost, and when are such services available? How do you obtain services not covered in the agreement?
- PSA (professional services automation) system. An automated, auditable system for tracking incidents is a requirement for managed service providers. The system should be configured to send alerts to management and executives when the provider fails to meet agreed-upon service levels. Daily or weekly status reports should be available to the customer.
The agreement framework
Will this be a simple agreement using an MOU (memorandum of understanding) or some sort of BPA (business partnership agreement)? Regardless of the format recommended by your attorney, a clear exit path must be part of the agreement in case the relationship doesn’t work out. Agreements with commercial vendors always spell out how the relationship may be dissolved, but I have seen municipal shared services agreements that have no such escape clauses for the “customer.” Make sure you can get out of the deal if it isn’t working out.
Comingle infrastructure resources carefully
A significant risk of a shared services deal is that IT infrastructure built between the parties may become intertwined to an extent that may be difficult and expensive to unravel. Clear boundaries should be established that will allow the parties to simply unplug if the deal doesn’t work out. Also, who owns infrastructure and data? How do you get your data back once the relationship is dissolved?
Information security, governance and policy
Whose governance policies will apply? Acceptable use policies, security policies, regulatory compliance policies and personnel policies as well as organizational culture should all be considered. How will sanctions for policy violations be addressed between agencies?
Is the provider using best practices for ITSM (information technology service management) and ISMS (information security management systems). Are they in ITIL or ISO 20000 shop? How will security be managed? Do they follow any generally accepted frameworks for information security?
Who will define quality standards? In the commercial world, the customer determines quality. In the public sector, the provider often defines quality — the DMV being a perfect example. What recourse do you have if the provider fails to meet quality standards? With a commercial vendor, you simply terminate the deal. In a shared services scenario, terminating the deal may require political capital that is not available. These arrangements present the real risk that you could be stuck with a bad deal for years or even decades.
These are only a few examples of the processes required to evaluate and negotiate a successful shared services agreement.
The great advantage of democratic local government is that citizens have the ability to address poor municipal management through the democratic process. If we’re not happy with the decisions and actions of management, city council or a county commission, we can simply vote them out of office. The problem with the trend toward regionalization of government functions and services is that we lose that ability to control it through elections. Don’t lose your ability to control your information technology operations by making a bad shared services deal.
References and endnotes
“Shared Services Among New York’s Local Governments,” research brief, Office of the New York State Comptroller, Division of Local Government and School Accountability, November 2009
“Shared Services: Establishing a Competitive Business Within a Business,” NDMA Inc.
[i] Shared Services Initiative, State of New York.
[ii] “Shared services in New York State: A Reform That Works,” George Homsy, Bingxi Quian, Yang Wang and Mildred Warner, August 2013.
This article first appeared on CIO.com at http://www.cio.com/article/3196248/leadership-management/municipal-shared-services-agreements-for-information-technology.html
© Copyright Jeffrey Morgan, 2017
County/municipal customer service and the RACI model
Because Mother Nature is so stingy when she doles out the gene for common sense, frameworks and standards for IT governance had to be invented.
Recently, I heard about an incident in which a municipal IT director was planning and executing significant changes to a department’s critical infrastructure without informing the customer — the department personnel. After being confronted, he insisted that he wasn’t required to inform the stakeholders because it was routine and he didn’t need departmental approval. Huh! To make matters worse, the changes involved significant risks that were far beyond the understanding of that IT director and his staff.
This behavior is appalling on many levels, but it is representative of the service provided by many municipal IT managers who believe IT is a dictatorial, rather than collaborative, profession. A few of the things this scenario tells us about the organization include the following:
1. The organization isn’t using a framework for IT governance and IT Service Management (ITSM).
2. Executive oversight of IT is inadequate.
3. The organization lacks a risk management program with change-control policies and procedures.
I will address the first two items below, and we can address item No. 3 in a subsequent article, so don’t forget to check back.
Sacred cows and your executive legacy
Municipal IT operations tend to be monopolies, and the customer service they provide is all too often in keeping with what one would expect from any monopoly. There is no good reason for this state of affairs, and you can fix it with relative ease. Enabling deplorable IT services doesn’t have to be one of your executive legacies.
Municipal IT often operates on a charge-back model, where customers (internal departments) are forced pay a flat annual fee or an hourly rate for IT services. The customers are unable to pursue competitive services from external vendors that may provide considerably better quality at a significantly lower cost. In the bubble of government IT, market forces never apply the pressure required to initiate change, and the IT department remains a sacred cow trapped in outmoded thinking and ancient processes.
Solutions, tools and techniques
In previous articles[i], I have discussed several management tools, techniques and processes that will significantly improve IT performance and customer service in your organization. Here, I will add one more concept: the RACI (Responsible, Accountable, Consulted and Informed) model.
The RACI model is an excellent tool for clarifying roles and responsibilities within a process. Using RACI can increase transparency and address the lack of oversight, so that all the players clearly understand their roles in the grand scheme. Let’s take a look at an example of how it might be used to identify appropriate roles for the operation and maintenance of a county clerk’s software application.
Although your matrix may be different, what won’t be different is that multiple stakeholders are involved. If there are a significant number of public users of the system, such as attorneys and title researchers, you might want to add them to the matrix as well.
While the RACI model is an important component of frameworks and standards such as COBIT, ITIL and ISO 20000, undertaking a full implementation of any of these programs isn’t necessary to make significant performance improvements to your IT operations and customer service.
Don’t count on common sense as a reliable management tool; use IT governance instead.
For further reading
“How to Design a Successful RACI Project Plan,” by Bob Kantor, CIO.com, May 22, 2012
[i] “Improving IT Customer Service with Service Level Agreements (SLA),” by Jeffrey Morgan, e-volve Information Technology Services
“What Is the Biggest Threat to Internal IT Departments?” by Jeffrey Morgan, CIO.com, Oct. 3, 2016
“High Crimes and Misdemeanors of CIOs,” by Jeffrey Morgan, CIO.com, Oct. 17, 2016
“Improving IT Customer Service, Part 2: Using a PSA System,” by Jeffrey Morgan, e-volve Information Technology Services
This article was first published on CIO.com at http://www.cio.com/article/3195073/leadership-management/county-municipal-it-customer-service-and-the-raci-model.html
© Copyright Jeffrey Morgan, 2017by
May I see your comprehensive security policy please?
May I see your comprehensive security policy please?
Huh? What’s that?
Lack of compliance with the HIPAA security standards is common in county and municipal government agencies even though many of these organizations have covered entities (CE) under their umbrellas. For some reason, almost everyone got the memo on required compliance with HIPAA privacy rules in 2003, but many organizations missed the subsequent memo on required compliance with security rules by April of 2005.
Nearly 14 years have passed since the security rule was published, and I have no explanation for the compliance lacuna that exists today. If you are an executive, manager or provide IT services for a CE, your security policy should be as well-worn as your kids’ Harry Potter books.
If someone (i.e. an auditor) asks about your compliance program, you should be able to succinctly summarize it and immediately provide documentation of your compliance activities. If this doesn’t describe your organization, you are not alone and there is no time like to present to begin the process.
Compliance isn’t a one-time, passive event and there are routine steps you must take ensure the CIA (confidentiality, integrity and availability) of your clients’ protected health information (PHI).
Denial and disbelief
Denial and disbelief are the first two stumbling blocks I encounter when informing managers in government agencies that they are not in compliance with HIPAA. Sickening yellow clouds of realization dawn over a period of several weeks while I continue to email copies of the Code of Federal Regulations (CFR) to the relevant parties. The attorney is generally the first to comprehend the magnitude of the situation.
Holistic information security
I talk about security policies rather than HIPAA policies. Something that is also common in municipal government is a lack of information security policies based on some generally accepted standard or framework for information security. You can and should address HIPAA security requirements and your overarching organizational information security requirements together.
Form a governance committee
Developing your security policy isn’t an IT project; it is part of an Information Governance program. A cross-functional team including representation from several organizational entities must be part of the process for developing your information security policies. Here are the roles I generally request to be part of the policy development team:
1. Executive owner
4. Information technology
5. Line of business units
6. Records management
7. Risk management, privacy and information security officer roles (Many municipal governments do not employ these functional roles, but they will once they have developed their policy).
Read the regulations!
I am a big believer in always working from primary sources. I encourage you to embark upon your HIPAA journey by reading the full text of the regulations. In the table below, I have hyperlinked them for your convenience. When I write policies for clients, I work directly from the regulation with their policy or governance committee so that everyone understands the process and the final result. Even so, clients will often argue about something that is projected on the wall right in front of them. I link every client policy to the corresponding HIPAA requirement.
Primary sources for compliance – educate yourself
|HIPAA Privacy Rule||45 CFR Parts 160 and 164 Standards for Privacy of Individually Identifiable Health Information.||Final Rule – December 28, 2000|
|HIPAA Security Rule||45 CFR Parts 160, 162, 164.||Final Rule – February 2003|
|HIPAA Combined Regulation Text||HIPAA Administrative Simplification.||Unofficial version amended through March 2013 combining the privacy and security rules.|
|HITECH Act Enforcement||HITECH Act interim final rule includes penalties for non-compliance.||October 30, 2009|
|NIST Special Publication 800-53||Security and Privacy Controls for Federal Information Systems and Organizations||Revision 4, April 2013|
|Privacy Rule Resources||HHS.GOV resources|
|Guide to Privacy and Security of Electronic Health Information||Office of National Coordinator for Health Information Technology||Version 2.0 April 2015|
|NIST HIPAA Security Rule Toolkit||Downloads and tools from NIST for assessment, etc.|
|NIST Special Publication 800-66||An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule||October 2008|
|Security Risk Assessment Tool||HealthIT.Gov||Executable tool – paper copy available too.|
In a previous article on the subject, I provided a sample, high-level compliance matrix for a security policy aligned with HIPAA.
Vendors often market products as being “HIPAA compliant.” If you have read the regulations above, you now know that there is no such thing. The HIPAA security rule is technology-neutral, and any reference to compliance would be to your organization’s policy rather than to the rule itself.
Get to work!
If you are now nauseous because you realize that you are not even remotely in compliance, that’s a good thing. Use that feeling to quickly get to work to protect your organizational information assets.
© Copyright Jeffrey Morgan, 2016
This article firs appeared on CIO.COM at http://www.cio.com/article/3134484/government/may-i-see-your-comprehensive-security-policy-please.htmlby