IT Dashboard: Agencies Need to Fully Consider Risks When Rating Their Major Investments, GAO-16-494: Published: Jun 2, 2016. Publicly Released: Jun 2, 2016.

“Agencies determined investments’ Chief Information Officer (CIO) ratings using a variety of processes, which included the Office of Management and Budget’s (OMB) six suggested factors (including risk management, requirements management, and historical performance). Specifically, all 17 selected agencies incorporated at least two of OMB’s factors into their risk rating processes and 9 used all of the factors. However, agencies’ interpretations of these factors varied. For example, most agencies considered active risks, such as funding cuts or staffing changes, when rating investments, but others only evaluated compliance with the agency’s risk management processes. Further, 13 agencies required monthly updates to CIO ratings as does OMB (as of June 2015), 1 agency scheduled its reviews based on risk, and 3 agencies required updates less often than on a monthly basis. GAO’s assessments generally showed more risk than the associated CIO ratings. In particular, of the 95 investments assessed, GAO’s assessments matched the CIO ratings 22 times, showed more risk 60 times, and showed less risk 13 times…”