Doug Hadden, VP Products
The "Cover Oregon" healthcare exchange failure has made for some sensational "copy" – beginning with the "blame game" – and, now lawsuits by both parties. The contractor, Oracle, claiming defamation by the State of Oregon. The state claiming racketeering and false billing by Oracle. A federal SWAT team found incompetence in Cover Oregon management while Oracle "threw bodies rather than skill sets" at the project. There is a reported "whistleblower" and some alleged skirting of state law. There has been a lack of perspective in reporting on this $240M+ project. I'd like to give perspective:
- Some facts about the "Oracle Solution"
- The real costs to the State
- What $240M+ buys in the software industry
- The impact of $240M is on healthcare in Oregon
- What could have prevented this fiasco
1. Cover Oregon is a Lot More than a Web Site
- There has been a lot of talk about the problems with the Obamacare custom-developed and the Oracle COTS (Commercial-Off-The-Shelf) Cover Oregon solutions as "web sites" – these are not simple "web sites" but exchanges with significant amount of back-office functionality, workflow and integration required
- The implementation is 2 projects: "HIX-IT" and "Social Services Modernization"
- The key application used was Siebel Public Sector Case Management
FreeBalance is an Oracle middleware partner. However, FreeBalance competes against Oracle in government financial management implementations, but not against the Siebel CRM suite used for Cover Oregon. FreeBalance does not provide a healthcare exchange software application. It's unusual for me to opine about competitors/partners by name in this blog, but I think that the perspective might help in the debate. It's highly likely that both parties have some explaining to do.
2. $240M is Not the Full Cost
- Oracle has billed an additional $23M
- Oracle may have cost the "state as $26 million this year and $54 million next in lost carrier assessment revenue due to low enrollments"
- There can be significant internal costs for project and contract management and user training
- Commercial software usually requires maintenance fees for product support and upgrades - this adds to the Total Cost of Ownership (TCO) well beyond $240M
- The state claims to have spent over $420M so far
- The move to the federal healthcare exchange cost $18.4M
3. $240M Buys a Lot of Software Development
- $240M buys 1,000 person years of software development assuming a cost of $20,000 per month per person that includes salaries, benefits, equipment, training and space. That's more than enough to build COTS software for both functions from scratch.
- $240M covers about 1/24 of the cost to Oracle to acquire Siebel, and, even if considering profits on Cover Oregon, is a material amount of money to recover the expense of acquisition. The $5.5B claim by the state is almost as much as the cost to acquire Siebel.
- $240M exceeds the $110M raised by Salesforce.com when going public and possibly could cover the amount paid by Infor to acquire Saleslogix - so it stands to reason that the state could have bought a CRM vendor.
- $240M is about 10 times the cost to acquire a core financial management system for a population of 3.9M in the international market, estimated at $6 per person. Of course, implementations in a developed country are more sophisticated – but not 10 times more sophisticated, and not for a smaller scale of functionality.
- $240M covers twice the full ERP implementation costs for Zambia 14.3M people (originally $26M, ballooned to $42M) and Vietnam 89.7M people (originally $40M, ballooned to $71M).
4. $240M+ Has a Significant Impact to Health Care in Oregon
- Oregon GDP was estimated at $168.6B in 2010 with total healthcare costs estimated at 17.9% in the United States giving a total spend of over $30B or around $7,750 per resident per year – roughly the full cost of supporting 31,000 Oregonians.
- $240M covers almost half of the state's budget for "public health".
- $240M is more than the box office receipts of the movie "Patch Adams" estimated at over $202M worldwide.
- The $5.5B claim by the state will go a long way to balance the budget
5. What Could Have Prevented this Fiasco
- Software written for the private sector experiences problems when applied in the public sector. Software manufacturers operating in many industries often see the similarities in public sector needs, but rarely understand the differences – and the complexity of these differences. And, these manufacturers tap into the myth that "government should operate more like businesses." Government buyers should expect hyperbole when vendors whose products were written for the private sector claim to have "out of the box" functionality.
- Many problems occur in government implementations when the software vendor is not part of the governance structure. In general, the full participation of the software vendor, as consulting company, is a good sign. It's a good sign if the vendor is using the experience to upgrade software to meet the unique needs of a health exchange. Software vendors, in general, do not have an incentive to rack up services revenue because this devalues the company. However, the $240M is a drop in the bucket for Oracle. And, Oracle may not have been committed to changing the product, rather to increase the revenue associated with the time and materials contract. The licenses appear to have been estimated at $7M. Government buyers should not engage in time and materials contracts beyond prototypes and should expect software vendors to change products, not customize.
- Let's say that there was too much uncertainty to expect a fixed price contract. We have to accept that the "out of the box" functionality and "flexibility" notions touted by Oracle were hyperbole. Time and materials does not seem to be the appropriate contract vehicle because there isn't the kind of uncertainty associated with putting someone on the moon. Or the uncertainty around the famous McDonnell Douglas A-12 or Avro Canada CF-105 Arrow projects. A performance contract may have been more appropriate in this case where Oracle could be paid on outcomes. That could have changed incentives. Government buyers need to select the most appropriate contract method based on risk and uncertainty.
- The observation that there were 1,198 errors in the acceptance test period is troubling. This seems to be a phenomenal number of errors. It could be that there was no process re-engineering where government staff was looking for little or no change of behaviour from the legacy system. Or, staff did not fully articulate the requirements up front. It points to a lack of expertise by the vendor in the domain. Needs articulation and analysis ("as-is" and "to-be") should not be a generic process headed by software experts – it should be headed by domain experts. In other words, Oracle staff who were expert in insurance, health care, law (to understand Obamacare), and government financials. Oracle needed to bring more to the table than Siebel software expertise (i.e.: why not tap into the Skywire acquisition or the cadre of lawyers that go after 3rd Party Maintenance firms?). Government buyers should insist on domain experts.
- Implementation projects often run into problems. The stress involved often sends the client and provider into the spiral of adding more staff to try to deliver on time. This approach is almost always wrong. Increasing team size reduces efficiency, an observation made in the 1960's with the Mythical Man Month. (There is also the tendency to avoid innovative ideas and experience an increasing commitment to a failed process.) Never, never throw more people at a failing project.
- Oracle alleges that the state's project management was incompetent, as does the federal review. Okay. Project management in the public sector tends to be inferior than in the private sector. Oracle knows this. They know the risk. Did Oracle seek to build capacity? Did they attempt to persuade the state to provide needed information? Did they conduct change management workshops? It doesn't matter how poor the project management is on the government side – it's up to the vendor to build capacity to overcome the problem. It's public money.
- The implementation time frame of June 2011 to October 1, 2013 is about 18 months. This is a tight, but reasonable schedule for a project of this sort when using COTS software. It's the kind of schedule that needs risk detection and risk mitigation strategies. (See the next point.) And, it needs more agile management to test prototypes and business rules up front. Otherwise, you end up delivering something that seems to meet the spec but doesn't meet the need – the infamous "as designed" problem. Waterfall implementation methods are ineffective on tight timelines.
- The state alleges that "Oracle’s president claimed that the exchange had been ready to launch in February 2014. Her self-serving claim was belied by assessments performed by independent experts." It's reasonable to think that Ms. Catz was unaware of the true situation based on feedback from the implementation team – a situation all too common in large organizations. It's hard to hide the fact that a client is unwilling to pay. Perhaps, the Oracle team decided to roll out the big gun at this point. The Oracle team should have rolled out the big gun much earlier in the process, as soon as the contract was awarded. Executives need to be up-to-date on large, unusual or highly political contracts – certainly when it's all 3. Oracle might be advised to use Oracle Risk Management software and risk management best practices. Imagine if Ms. Catz had reached out to the state when the first set of problems became evident. Government buyers and vendor partners need effective risk management processes for large contracts.
- Oracle does not operate as a "customer-centric" organization. That's not an unreasonable position for a technology company. Yet, there are many tools available for technology companies to collaborate with organizations – some traditional like the Primavera Enterprise Project Management Suite owned by Oracle – some based on social networking like the suite owned by Oracle. Did Oracle use these tools for project management and customer engagement? If not, why not? Software vendors need to eat their own dog food.
- The state alleges that Oracle exhibited a "pattern of racketeering activity." That's the kind of hyperbole one uses in lawsuits. Nevertheless, there has been a concern about vendor consolidation that is creating cartels where third party suppliers are aligning with the Tier 1 vendors. The ERP value chain for large implementations has been predominantly captured by these two vendors. Government buyers need to understand the risk of having no leverage with large vendors – it's an asymmetric battle where the vendors do not need the revenue, have access to more resources and information and have better lawyers.
Will This Bad PR Hurt Oracle?
It is unlikely that this lawsuit will hurt Oracle in any material way:
- Oracle has been able to tap into the narrative that government IT lacks competence, as do governments in general
- Oracle fills cyberspace with marketing messages in general and promotes their views, so it's only a matter of time before the controvesy is overwhelmed by noise
- Oracle has not appeared to have been affected by previous high profile failures in government
Doug Hadden, VP Products
There seems to be two approaches for achieving success in developing countries and emerging economies with enterprise-class software. A recent press releases from one of the major ERP vendors demonstrates one approach:
- Keep the legacy design of the software developed for advanced economies
- Diagnose the problem of high failure rates as a capacity problem: not enough professionals capable of using, supporting and customizing complex software, not enough bandwidth to suport systems
- Fund universities, Public-Private-Partnerships, work with International Financial Institutions to create educational programs designed to train people on your proprietary product
- Publicize with press releases
- Make some user interface changes that aids in usability, but does not fundamentally change the financial sustainability of solutions
- Call it "innovation"
We've elected to take a completely different approach:
- Fundamentally redesign software architecture to address the government domain
- Build "progressive activation" that enables matching human capacity to system functionality
- Optimize the technical footprint to reduce the need for high bandwidth or numerous servers
- Collaborate with government customers to simplify system usage and administration
- Focus on how we can make our systems financially sustainable
The Tier 1 ERP vendors are very challenged to move "down market" whether smaller organizations or in less developed countries. The economic model breaks down because of high costs from implementation, training, upgrades and maintenance. The approach is like "lowering the river" instead of "raising the bridge." Except in this case, dredging up new customers costs customers far more than designing to meet the need.
Doug Hadden, VP Products
PFM is a complex discipline with many moving parts. Books, articles and studies have been written. It took me significant research to understand the basics of public financial management and the dominant trends. Matt Andrews, Marco Cangiano, Neil Cole, Paolo de Renzio, Philipp Krause, and Renaud Seligmann have distilled this down to 10 pages.
If only this had been available when I first started at FreeBalance!
Doug Hadden, VP Products
Risk management has become an important discipline in Public Financial Management (PFM), particularly in developing countries. For example, the World Bank, via the Coursera MOOC platform, is providing a very interest course on Managing Risk for Development. We have been seeing an increasing emphasis on public investment planning, performance audit and planning for environmental sustainability over the past few years. Here's my take on the contribution of PFM to risk management in developing nation governments:
We recently asked David for insights that we could share with the broader Public Financial Management community with this abridged interview from his offices in Mexico City.
Q: Is information security a compliance issue?
A: It absolutely is. The US was the first country to legislate about security breaches and make accountable those people in charge of gathering and safeguarding private data. Such laws allow their owners to complain if there is improper use, destruction or theft of sensitive data. Since the 2000's when the state of California legislated upon this matter, 46 more states in the US have followed suit, as well as several countries in Europe, Asia, Africa and Latin America (particularly Mexico, Colombia, Argentina and Uruguay).
Q: What is the weakest link in information security?
A: It depends on the kind of information you are administrating and the type of security systems you would need. For instance, if you keep personal information at the entrance of a building, the information would not need to be collected on the web, so a breach via hacking would not be a risk. In this case, the weakest links would be the person in charge of security, a thief or the loss of information. However, for every case you are only as strong as your weakest link, so according to your specific situation and the one from its owner, you would be able to identify the major threats to your information security. There is a school of thought that people are the weakest link in information security because people make poor decisions like writing passwords on sticky notes or failing to install security patches.
Q: How does poor information security cost governments?
A: Breaches in information security have high costs on reputation, both for governments and companies. If your country does not have a clear legislation on information security, it would be a bigger risk for companies to invest in that country because they cannot be sure what would happen if their information is not protected (i.e. industrial secrets), which affects the country itself and the government income. In addition, if the authorities cannot proceed against security breaches a possible theft or destruction of government's information, it could mean the no recovery of the information and big economic loses.
Q: Have you seen any good practices in Latin America?
A: Mexico has legislation where the Instituto Federal de Acceso a la Información y Protección de Datos (IFAI) can start an investigation in case a security breach occurs in order to determine who was responsible for it, as well as to guarantee that, if this happens, the owner of the information is notified and advised about what to do and how the person responsible will restore the damage.
Q: How has the thinking about "trust" changed in the error of government transparency?
A: Open government information is now considered as a right. Governments make decisions that directly affect citizens. Also, it is now considered that information access is one of the best ways to avoid corruption, as people are watching how the public funds are being used. In this sense, trust is something that governments have to earn through transparency. This means transparency access to information at the same time that legitimately sensitive information is kept secret.
Q: Some economists see corruption as a "second order" problem for growth. What's your view?
A: Corruption is one of the most important problems for growth, firstly because it is a misappropriation that impedes that the funds (private or public) get to its destiny, which in a lot of cases would benefit directly or indirectly a social sector with needs or that would help to impulse local or regional economy. So instead of benefiting a community, it goes to the hands of only a few people, which affects growth Secondly, because it affects the reputation of the company/government that is rumored to be corrupt, which probably make it difficult to invest on it or the investors would ask more money to carry out any project, so the risk may be worth to be taken. However, it may be even worse, as the investors could give bribes and the corruption circle will expand, affecting more and more the growth as more money is needed to carry out any project that could benefit the local/regional/national economy.
Q: Do you think that the media is too obsessed with the "demand side" of corruption rather that the "supply side"?
A: Yes. For corruption you will always need the two sides. I think that it was a good thing at first to "be obsessed" with the "demand side" because normally the "supply side" has no option but to give in if they want to do business. However, we have now reached the point where both sides are in balance and little is done to attack the corruption on the "supply side" because all the efforts have been focused on the other side.
Q: Have governments become more sophisticated in risk management over the years?
A: It is a tricky question because governments have become more conscious about risk management and have introduced several practices in order to handle it, as happened with security protection. Nevertheless, risk management has become more and more difficult to handle, as risks have increased dramatically since computer technologies have become more sophisticated. Probably more important, information has become the main conduit for commerce, which means that information risks are much higher than years ago.
The need for public sector accountancy was one of the subjects at the 32nd Annual Institute of Chartered Accountants of the Caribbean (ICAC) conference held in Paramaribo Suriname last week. There were lessons for the private and public sectors. The Public Financial Management (PFM) lessons included:
- Public sector accountancy is becoming more critical in the Caribbean
- Large projects for Public Financial Management reform, often called “big bang” approaches, do not work
- PFM requires a consideration of economics, understanding agent behaviour and incentives – it’s not all about accountancy
- Monitoring and internal audit are critical to fiscal discipline
- Integrated reporting concepts are moving from the private to the public sector
Public Financial Management (PFM) is undergoing change and innovation, particularly in developing countries and emerging economies. My “top 10″ takeaways from the recent International Consortium on Governmental Financial Management (ICGFM) Conference in Miami are:
- PFM continues to change, adapt and expand
- Context of informal practices and culture is necessary for PFM reform change management
- International Financial Institutions (donors) are often as much of part of the problem as the solution in PFM reform
- Transparency has a significant impact of PFM and good governance
- There are significant problems in developing country governments when adopting complex financial management software
- Public Financial Management is a continues process of reform sequencing
- “Megatrends” will have a significant impact of public policy and public financial management
- The need for procurement transparency is becoming clearer to governments
- Governments need to think in the long term to better manage risk
- Capacity building is on the critical path to PFM reform sustainability
Doug Hadden, VP Products
We were treated to a fascinating presentation at the Richard Chambers the the Institute of Internal Audit. His 10 leadership characteristics resonated with the delegates from about 40 countries, most of whom are work for government.
Doug Hadden, VP Products
The change management workshop at the 28th Annual ICGFM Conference was engaging with significant participation. That’s probably not because of my involvement so much but from the insights from Richard Hudson and Jim Wright from our partners, Evans Incorporated. It was an enjoyable 3 hours as well and participants grappling with change found it very useful.
Change management has become recognized as critical for any transformation in any organization. PFM reform has significant impact on politicians, public servants and citizens. The workshop focused on three of the many change management disciplines: risk assessment, stakeholder engagement and communications. This aligns with what we’ve experienced in implementing Government Resource Planning (GRP) systems.
The notion of using the “wrong technology” is not rated in the top 5 for financial management software failures. My observation is that some technology solutions put more of a burden on those executing change. And, many software manufacturers are not involved in the governance structure putting more of a change burden on governments and systems integrators.
The insights from the workshop apply beyond the PFM domain.