Good Governance enabled through Financial Management but…

September 10th, 2014

as we learned today, ERP systems do not solve the challenges faced by international NGOs like the Organization of American States.

Good governance structures and strong internal controls and audit are supported by financial managers. But, the ERP system in use is not able to effectively report and control expenditures.

Study: Latin America Benefiting from Improved Public Financial Management

September 8th, 2014

Growth in Latin America: Resource Dependency, Inequality, Economic Integration, Human Capital

September 5th, 2014

Open Contracting Open Data Draft is a Good Start

September 4th, 2014

Doug Hadden, VP Products

The Open Contracting initiative is an important stage in the government transparency movement. A draft open data standard has been produced by the organization. This is an excellent start because government procurement represents such a significant factor in government expenditures and country GDP. And, government procurement is highly available for corruption.

The purpose of the initiative is:

Open contracting refers to norms and practices for increased disclosure and participation in public contracting including tendering, performance and completion. It includes the variety of contract types, from more basic contracts for the procurement of goods, to complex contracts, joint venture agreements, licenses and production sharing agreements. Open contracting encompasses all public contracting, including contracts funded by combinations of public, private and donor sources.

The draft data standard provides:

  • Link between procurement planning and the tendering process – critical to understand the linkage to policy
  • Contract award information – critical for corruption and best value analysis with contract data
  • Performance milestones and documents

Comprehensiveness Not Achieved – But Should it?

There are some problems associated with the proposed standard. Many of these problems come from the nature of government procurement that is difficult to decompose. Some issues are:

  • The planning data standard is limited. And, there doesn't appear to be any linkage across the procurement cycle related to budget classifications or multiple year commitments.
  • Rationalization of simple purchasing of commodity goods with complex procurement. The notion of "units of measurement", "quantity per unit", and "value per unit" is more difficult to define in complex procurement.
  • Notion of "performance" is usually associated with outcomes rather than outputs. The standard focuses on milestones – typically related to outputs. This makes sense because outputs are easier to track. But a milestone usually includes many outputs. The standard links to documents that provide performance narrative, but there is no standard for this data. Guidance for performance reporting is needed.
  • Standard contract data is very sparse. Government contracts can be very complex. This includes hold-backs, bonus payments, and penalties. Some contracts provide criteria for extended phases. 
  • The selection criteria for procurement provides string information but does not have categorization. Categorization would enable analysis across contracts.
  • The standard doesn't seem to follow multiple stage tendering such as RFI followed by 2 stage RFPs

This is one of the problems associated with open data standards: information comprehensiveness is valuable but not at the risk of making compliance too expensive or complex. 

Supporting the Standard in Software

The standard is easily supported in Commercial Off-the-Shelf software like the FreeBalance Accountability Suite. That's because our suite is fully unified across the budget cycle. Many governments acquire "e-procurement" software separate from core financial management. This standard exposes the problem associated with this approach:

  • Standalone e-procurement software tends to have no idea about the original budgets, planning processes or budget transfers.
  • Commitment management is outside the e-procurement system.
  • Contracts and payments are usually managed outside of the e-procurement system.

How does Technology enable Governance?

August 26th, 2014

The “Cover Oregon”/Oracle Failure in Perspective

August 25th, 2014

Doug Hadden, VP Products

The "Cover Oregon" healthcare exchange failure has made for some sensational "copy" – beginning with the "blame game" – and, now lawsuits by both parties. The contractor, Oracle, claiming defamation by the State of Oregon. The state claiming racketeering and false billing by Oracle. A federal SWAT team found incompetence in Cover Oregon management while Oracle "threw bodies rather than skill sets" at the project. There is a reported "whistleblower" and some alleged skirting of state law. As Michael Krigman points out "With these complex IT projects most of the time it’s virtually impossible to say that blame or responsibility lies completely on one side or the other The two sides are very intertwined during the execution of the project.”

There has been a lack of perspective in reporting on this project failure because of the focus on the sensational aspects of the story. I'd like to add some more perspective:

  1. Some facts about the "Oracle Solution"
  2. The real costs to the State
  3. What $240M+ buys in the software industry
  4. The impact of $240M is on healthcare in Oregon
  5. What could have prevented this fiasco

1. Cover Oregon is a Lot More than a Web Site

FreeBalance is an Oracle middleware partner. However, FreeBalance competes against Oracle in government financial management implementations, but not against the Siebel CRM suite used for Cover Oregon. FreeBalance does not provide a healthcare exchange software application. It's unusual for me to opine about competitors/partners by name in this blog, but I think that the perspective might help in the debate. It's highly likely that both parties have some explaining to do.


Oracle has made some misleading claims in their lawsuit:

  • "Oracle is a company with a 30-year history of successfully developing and implementing some of the complex technical systems in the world including the health insurance exhanges of a least a half dozen states." – There is a big difference between "developing" and "implementing". Oracle rarely implements these systems. The statement also implies that Oracle has developed many successful health insurance exchanges. Which states? Was the Siebel product used? Was the Oracle database used and this is presented as success? The only thing relevant here is weather the same solution was used successfully.
  • Oracle claims that "public officials chose not to give a measured, fully informed response" by blaming Oracle. Welcome to the real world – the application software is the visible element – and, I can tell you, the app vendor will be blamed for systems integration, middleware, hardware and network errors. Or, internal support personnel who do not follow instructions on security patches or maintenance procedures. 
  • Oracle claims that the "state thus undertook a multi-part project of unprecedented size and complexity for which it had no expertise." Did someone put a gun to Oracle's head? If true, et should have been as obvious then that it is now. Why did Oracle take the contract? It's clear that the lack of expertise by the state was a pre-existing condition.
  • Oracle made a presentation 2 months ahead of the scheduled release indicating that requirements were not ready. It appears that not all requirements were completed where UI and security functions were not ready. There are requirements that are show-stoppers – perhaps there were. Let's say that this is true. Is a "presentation" the proper venue for this? Surely Oracle should have been communicating in many other channels prior to this date. 
  • Oracle claims that the Cover Oregon Executive Director was more concerned about the "sizzle than the steak". It is naive to think that this wouldn't occur – it is highly predictable that this happens in front-office projects in the public and private sector. And, Oracle should know this by now.
  • Oracle claims that the state "continued to frustrate Oracle's efforts at every turn. Nevertheless, Oracle continued to work at Cover Oregon's request, trying to drive the project to a conclusion." This seems to imply that Oracle was making some noise about the project but did not communicate the level of urgency. It's normal to hear an implementation firm presenting risks to protect them should things for wrong. Was Oracle seen to be in "CYA" mode by the state? 
  • Oracle makes a case that the "time and materials" contract was appropriate in this case.  Oracle claims that "without a fixed scope for the project – the equivalent of architectural blueprints – no contractor could reasonably be expected to agree to work on a fixed-fee basis." This is from a company that has theoretically done a "half dozen" of these projects and has an off-the-shelf solution. Did Oracle decide to leverage the lack of state project management capabilities to extend the time and materials? 
  • As an added point – you ALMOST NEVER get "architectural blueprints" in government RFPs for fixec price contracts using off-the-shelf software. You sometimes get process workflow ("as is" and "to be") and database models. Sometimes there are UML diagrams. These always change during implementation.

The state has also made some interesting assertions:

  • 'Oracle lied to the State about the “Oracle Solution.” Oracle lied when it said the “Oracle Solution” could meet both of the State’s needs with Oracle products that worked “out-of-the-box.” Oracle lied when it said its products were “flexible,” “integrated,” worked “easily” with other programs, required little customization and could be set up quickly. Oracle lied when it claimed it had “the most comprehensive and secure solution with regards to the total functionality necessary for Oregon.”' The jumping point for the argument seems to be about sales claims. It seems to me that it can be argued, relative to other solutions, that the software meets many of these claims. The key point is the extent to which source code had to be modified – that takes out all of the fluff about what people understand as "flexible" or "integrated."
  • It apears that Oracle decided to call "scripts" as "configuration". The state rightfully states that  "configuration does not require a software developer to write computer code to achieve the functionality." 'Oracle clarified that it scored its response to DHS’s requirements a “4” if its products met the requirement “out-of-the-box without modification or through routine configuration using the toolsets provided with the applications * * *.” Oracle claimed that “routine configuration” could be performed by business analysts and did not require software engineers to write software code or scripts.' 'According to Oracle, “customization” involved writing scripts to create new functionality. Scripts are software code that runs on top of software applications.' Scripting is programming whether macros in an Office application, JavaScript, stored procedures or interface scripts. Yet, 'Oracle scored more than 95% of the DHS’s requirements as a “4,” indicating that the “Oracle Solution” was 95% “out-of-the-box.”' 
  • Oracle claimed progress throughout the project until near the end when scope was reduced. This seems to contradict the notion that all sorts of last minute change were introduced. It's almost as if Oracle and Cover Oregon were not on the same project.
  • The state claims that "by late September, however, when Oracle was unable to demonstrate a working website." 1 or 2 weeks prior to launch is far too late to notice this. (It seems odd that the solution wasn't in final QA at this point where the number of resolved bugs exceeded the number of new bugs discovered.)
  • Cúram Software, acquired by IBM, was the only competitor in the acquisition process, and they pulled out of the process (perhaps because of the talks with IBM made their original bid invalid because the business entity was about to change). Were other vendors aware of the opportunity? Was the process truly competitive? Were other vendors well aware of the expected project problems?
  • "In November, Oracle executives continued to represent to Cover Oregon that the system was nearly ready to launch." There is a significant disconnect here in perception and communications. 
  • The claim by the state is very detailed. One of the claims is that 'Maximus, Cover Oregon’s outside quality assurance consultant, also found that Oracle’s work was below industry standards. In its October 2013 report, Maximus stated that Oracle’s “processes do not meet industry standards. Impact analysis, code review, coding standards and proper parallel development techniques are ad hoc and inconsistently applied or understood.”' Errors would easily creep into a project that had excellent business process articulation if this statement is true.
  • It should be noted that ERP companies present solutions as fully integrated and flexible. As Michael Krigsman points out: "Anybody that knows enterprise software knows that these are not absolute terms."

2. $240M is Not the Full Cost

"$240 Million" is the figure most often reported, but this does not represent the full cost to the state.

3. $240M Buys a Lot of Software Development

$240M+ buys a significant amount of software development – it is difficult to justify this cost even if the software worked.

  • $240M buys 1,000 person years of software development assuming a cost of $20,000 per month per person that includes salaries, benefits, equipment, training and space. That's more than enough to build COTS software for both functions from scratch.
  • $240M covers about 1/24 of the cost to Oracle to acquire Siebel, and, even if considering profits on Cover Oregon, is a material amount of money to recover the expense of acquisition. The $5.5B claim by the state is almost as much as the cost to acquire Siebel.
  • $240M exceeds the $110M raised by Salesforce.com when going public and possibly could cover the amount paid by Infor to acquire Saleslogix - so it stands to reason that the state could have bought a CRM vendor.
  • $240M is about 10 times the cost to acquire a core financial management system for a population of 3.9M in the international market, estimated at $6 per person. Of course, implementations in a developed country are more sophisticated – but not 10 times more sophisticated, and not for a smaller scale of functionality.
  • $240M covers twice the full ERP implementation costs for Zambia 14.3M people (originally $26M, ballooned to $42M) and Vietnam 89.7M people (originally $40M, ballooned to $71M).

4. $240M+ Has a Significant Impact to Health Care in Oregon

  • Oregon GDP was estimated at $168.6B in 2010 with total healthcare costs estimated at 17.9% in the United States giving a total spend of over $30B or around $7,750 per resident per year – roughly the full cost of supporting 31,000 Oregonians.
  • $240M covers almost half of the state's budget for "public health"
  • $240M is more than the box office receipts of the movie "Patch Adams" estimated at over $202M worldwide.
  • The $5.5B claim by the state will go a long way to balance the budget

5. What Could Have Prevented this Fiasco

  1. Software written for the private sector experiences problems when applied in the public sector. Software manufacturers operating in many industries often see the similarities in public sector needs, but rarely understand the differences – and the complexity of these differences. And, these manufacturers tap into the myth that "government should operate more like businesses." Government buyers should expect hyperbole when vendors whose products were written for the private sector claim to have "out of the box" functionality.
  2. Many problems occur in government implementations when the software vendor is not part of the governance structure. In general, the full participation of the software vendor, as consulting company, is a good sign. It's a good sign if the vendor is using the experience to upgrade software to meet the unique needs of a health exchange. Software vendors, in general, do not have an incentive to rack up services revenue because this devalues the company. However, the $240M is a drop in the bucket for Oracle. And, Oracle may not have been committed to changing the product, rather to increase the revenue associated with the time and materials contract. "Oracle lacked an accountability structure to ensure that the website design was doable within the assigned deadlines and that the deadlines actually were being met."The licenses appear to have been estimated at $7MGovernment buyers should not engage in time and materials contracts beyond prototypes and should expect software vendors to change products, not customize.
  3. Let's say that there was too much uncertainty to expect a fixed price contract. We have to accept that the "out of the box" functionality and "flexibility" notions touted by Oracle were hyperbole. Time and materials does not seem to be the appropriate contract vehicle because there isn't the kind of uncertainty associated with putting someone on the moon. Or the uncertainty around the famous McDonnell Douglas A-12 or Avro Canada CF-105 Arrow projects. A performance contract may have been more appropriate in this case where Oracle could be paid on outcomes. That could have changed incentives. Government buyers need to select the most appropriate contract method based on risk and uncertainty.
  4. The observation that there were 1,198 errors in the acceptance test period is troubling. This seems to be a phenomenal number of errors. It could be that there was no process re-engineering where government staff was looking for little or no change of behaviour from the legacy system. Or, staff did not fully articulate the requirements up front. It points to a lack of expertise by the vendor in the domain. Needs articulation and analysis ("as-is" and "to-be") should not be a generic process headed by software experts – it should be headed by domain experts. In other words, Oracle staff who were expert in insurance, health care, law (to understand Obamacare), and government financials. Oracle needed to bring more to the table than Siebel software expertise (i.e.: why not tap into the Skywire acquisition or the cadre of lawyers that go after 3rd Party Maintenance firms?). Government buyers should insist on domain experts.
  5. Implementation projects often run into problems. The stress involved often sends the client and provider into the spiral of adding more staff to try to deliver on time. This approach is almost always wrong. Increasing team size reduces efficiency, an observation made in the 1960's with the Mythical Man Month. (There is also the tendency to avoid innovative ideas and experience an increasing commitment to a failed process.) Never, never throw more people at a failing project.
  6. Oracle alleges that the state's project management was incompetent, as does the federal review. Okay. Project management in the public sector tends to be inferior than in the private sector. Oracle knows this. They know the risk. Did Oracle seek to build capacity? Did they attempt to persuade the state to provide needed information? Did they conduct change management workshops? It doesn't matter how poor the project management is on the government side – it's up to the vendor to build capacity to overcome the problem. It's public money.
  7. The implementation time frame of June 2011 to October 1, 2013 is about 18 months. This is a tight, but reasonable schedule for a project of this sort when using COTS software. It's the kind of schedule that needs risk detection and risk mitigation strategies. (See the next point.) And, it needs more agile management to test prototypes and business rules up front. Otherwise, you end up delivering something that seems to meet the spec but doesn't meet the need – the infamous "as designed" problem. Waterfall implementation methods are ineffective on tight timelines. 
  8. The state alleges that "Oracle’s president claimed that the exchange had been ready to launch in February 2014. Her self-serving claim was belied by assessments performed by independent experts." It's reasonable to think that Ms. Catz was unaware of the true situation based on feedback from the implementation team – a situation all too common in large organizations. It's hard to hide the fact that a client is unwilling to pay. Perhaps, the Oracle team decided to roll out the big gun at this point. The Oracle team should have rolled out the big gun much earlier in the process, as soon as the contract was awarded. Executives need to be up-to-date on large, unusual or highly political contracts – certainly when it's all 3. Oracle might be advised to use Oracle Risk Management software and risk management best practices. Imagine if Ms. Catz had reached out to the state when the first set of problems became evident. Government buyers and vendor partners need effective risk management processes for large contracts.
  9. Oracle does not operate as a "customer-centric" organization. That's not an unreasonable position for a technology company. Yet, there are many tools available for technology companies to collaborate with organizations – some traditional like the Primavera Enterprise Project Management Suite owned by Oracle – some based on social networking like the suite owned by Oracle. Did Oracle use these tools for project management and customer engagement? If not, why not? Software vendors need to eat their own dog food.
  10. The state alleges that Oracle exhibited a "pattern of racketeering activity." That's the kind of hyperbole one uses in lawsuits. Nevertheless, there has been a concern about vendor consolidation that is creating cartels where third party suppliers are aligning with the Tier 1 vendors. The ERP value chain for large implementations has been predominantly captured by these two vendors. Government buyers need to understand the risk of having no leverage with large vendors – it's an asymmetric battle where the vendors do not need the revenue, have access to more resources and information and have better lawyers.

Will This Bad PR Hurt Oracle?

It is unlikely that this lawsuit will hurt Oracle in any short-term material way:

  • Oracle has been able to tap into the narrative that government IT lacks competence, as do governments in general
  • Oracle fills cyberspace with marketing messages in general and promotes their views, so it's only a matter of time before the controvesy is overwhelmed by noise
  • Oracle has not appeared to have been affected by previous high profile failures in government

It is likely that the lawsuit, in combination with ERP environmental factors such as cloud computing, lack of penetration in the SME market, methods of customer ownership/rent seeking will hurt the company in the long run:

However, "it’s incongruous that a globally respected firm such as Oracle would allow its employees to produce such a deficient product. Indeed, the state goes so far as accusing Oracle of “a pattern of racketeering activitythat has cost the State and Cover Oregon hundreds of millions of dollars.”

And, as Tim Brugger points out "it's not likely Oracle will be on the hook for $5.5 billion in this case, regardless of its culpability for the Oregon Obamacare mess. But as more specifics are uncovered and the respective lawsuits run their course, how receptive will other governments and large, private entities be to hiring Oracle?"

 

ERP Vendor Approaches to Penetrating Developing Countries

August 19th, 2014

Doug Hadden, VP Products

There seems to be two approaches for achieving success in developing countries and emerging economies with enterprise-class software. A recent press releases from one of the major ERP vendors demonstrates one approach:

  1. Keep the legacy design of the software developed for advanced economies
  2. Diagnose the problem of high failure rates as a capacity problem: not enough professionals capable of using, supporting and customizing complex software, not enough bandwidth to suport systems
  3. Fund universities, Public-Private-Partnerships, work with International Financial Institutions to create educational programs designed to train people on your proprietary product
  4. Publicize with press releases
  5. Make some user interface changes that aids in usability, but does not fundamentally change the financial sustainability of solutions
  6. Call it "innovation"

We've elected to take a completely different approach:

  1. Fundamentally redesign software architecture to address the government domain
  2. Build "progressive activation" that enables matching human capacity to system functionality
  3. Optimize the technical footprint to reduce the need for high bandwidth or numerous servers
  4. Collaborate with government customers to simplify system usage and administration
  5. Focus on how we can make our systems financially sustainable

The Tier 1 ERP vendors are very challenged to move "down market" whether smaller organizations or in less developed countries. The economic model breaks down because of high costs from implementation, training, upgrades and maintenance. The approach is like "lowering the river" instead of "raising the bridge." Except in this case, dredging up new customers costs customers far more than designing to meet the need.

Public Financial Management description and trends – distilled in 10 pages

August 1st, 2014

Doug Hadden, VP Products

PFM is a complex discipline with many moving parts. Books, articles and studies have been written. It took me significant research to understand the basics of public financial management and the dominant trends. Matt Andrews, Marco Cangiano, Neil Cole, Paolo de Renzio, Philipp Krause, and Renaud Seligmann have distilled this down to 10 pages.

If only this had been available when I first started at FreeBalance!

Public Financial Management: A Critical Tool for Risk Management in Developing Countries

July 14th, 2014

Doug Hadden, VP Products

Risk management has become an important discipline in Public Financial Management (PFM), particularly in developing countries. For example, the World Bank, via the Coursera MOOC platform, is providing a very interest course on Managing Risk for Development. We have been seeing an increasing emphasis on public investment planning, performance audit and planning for environmental sustainability over the past few years. Here's my take on the contribution of PFM to risk management in developing nation governments:

Government Physical and Network Security – A Reputational Risk

June 27th, 2014

David Robillard, the President of Multilatin, spoke at our recent FreeBalance International Steering Committee (FISC) conference about the reputational risks of physical and network security.

 We recently asked David for insights that we could share with the broader Public Financial Management community with this abridged interview from his offices in Mexico City. 

Q: Is information security a compliance issue?

A: It absolutely is. The US was the first country to legislate about security breaches and make accountable those people in charge of gathering and safeguarding private data. Such laws allow their owners to complain if there is improper use, destruction or theft of sensitive data. Since the 2000's when the state of California legislated upon this matter, 46 more states in the US have followed suit, as well as several countries in Europe, Asia, Africa and Latin America (particularly Mexico, Colombia, Argentina and Uruguay).

Q: What is the weakest link in information security?

A: It depends on the kind of information you are administrating and the type of security systems you would need. For instance, if you keep personal information at the entrance of a building, the information would not need to be collected on the web, so a breach via hacking would not be a risk. In this case, the weakest links would be the person in charge of security, a thief or the loss of information. However, for every case you are only as strong as your weakest link, so according to your specific situation and the one from its owner, you would be able to identify the major threats to your information security. There is a school of thought that people are the weakest link in information security because people make poor decisions like writing passwords on sticky notes or failing to install security patches.

Q: How does poor information security cost governments?

A: Breaches in information security have high costs on reputation, both for governments and companies. If your country does not have a clear legislation on information security, it would be a bigger risk for companies to invest in that country because they cannot be sure what would happen if their information is not protected (i.e. industrial secrets), which affects the country itself and the government income. In addition, if the authorities cannot proceed against security breaches a possible theft or destruction of government's information, it could mean the no recovery of the information and big economic loses.

Q: Have you seen any good practices in Latin America?

A: Mexico has legislation where the Instituto Federal de Acceso a la Información y Protección de Datos (IFAI) can start an investigation in case a security breach occurs in order to determine who was responsible for it, as well as to guarantee that, if this happens, the owner of the information is notified and advised about what to do and how the person responsible will restore the damage.

Q: How has the thinking about "trust" changed in the error of government transparency?

A: Open government information is now considered as a right. Governments make decisions that directly affect citizens. Also, it is now considered that information access is one of the best ways to avoid corruption, as people are watching how the public funds are being used. In this sense, trust is something that governments have to earn through transparency. This means transparency access to information at the same time that legitimately sensitive information is kept secret.

Q: Some economists see corruption as a "second order" problem for growth. What's your view?

A: Corruption is one of the most important problems for growth, firstly because it is a misappropriation that impedes that the funds (private or public) get to its destiny, which in a lot of cases would benefit directly or indirectly a social sector with needs or that would help to impulse local or regional economy. So instead of benefiting a community, it goes to the hands of only a few people, which affects growth Secondly, because it affects the reputation of the company/government that is rumored to be corrupt, which probably make it difficult to invest on it or the investors would ask more money to carry out any project, so the risk may be worth to be taken. However, it may be even worse, as the investors could give bribes and the corruption circle will expand, affecting more and more the growth as more money is needed to carry out any project that could benefit the local/regional/national economy.

Q: Do you think that the media is too obsessed with the "demand side" of corruption rather that the "supply side"?

A: Yes. For corruption you will always need the two sides. I think that it was a good thing at first to "be obsessed" with the "demand side" because normally the "supply side" has no option but to give in if they want to do business.  However, we have now reached the point where both sides are in balance and little is done to attack the corruption on the "supply side" because all the efforts have been focused on the other side.

Q: Have governments become more sophisticated in risk management over the years?

A: It is a tricky question because governments have become more conscious about risk management and have introduced several practices in order to handle it, as happened with security protection. Nevertheless, risk management has become more and more difficult to handle, as risks have increased dramatically since computer technologies have become more sophisticated. Probably more important, information has become the main conduit for commerce, which means that information risks are much higher than years ago.