[this is a repost of an article I originally published in 2018)
The Federal Inspector General community is celebrating the 40th anniversary of the IG Act this year. One of the responsibilities of IGs under the Act is to provide leadership to promote economy, efficiency, and effectiveness. A good way to promote the 3 E’s is to model them and practice what we preach. As we plan for next generation oversight and accountability, OIGs might want to consider using a capability model.
What is a Capability Model?
In short, it’s a one-page matrix that shows where you’re at and where you’re going.
It’s a cousin to the maturity model Federal OIGs use to rate their agency’s IT activities under the Federal Information Security Management Act and the maturity models agencies use to assess their enterprise risk management programs. These types of models are not new. They’ve been around a long time and have their roots in the IT and computer software world. These types of models are not novel. They are currently being used by many public sector internal audit organizations around the world, including some in the US.
A capability model communicates a vision of what an OIG wants to look like in the future. It requires answering the big question: what does “optimized” oversight and accountability look like? A capability model is also a way to measure an organization’s progress on their journey to the desired state. Finally, a capability model can be used as a map for improvement.
Why Should OIGs Use Capability Models?
Describing this optimized state in a model helps to visualize and keep the desired state firmly in mind. It helps educate new staff and provides all team members with a sense of mission, direction, and expectations. Strategic planning and annual performance metrics can then be used to drive the organization towards the desired state. A risk management program can support these activities by identifying, assessing, and mitigating threats to reaching these objectives. Objectively assessing the organization’s as-is condition is important for accountability. I’m sure if I asked my friends in the federal IT world they would say FISMA is an uncomfortable annual examination that does not fully tell you the whole story of the extent of their efforts. It is nevertheless an important and objective snapshot of a point in time. Use of a capability model can help in the development of staffing plans and budget requests to go from current to desired state.
How to Develop a Capability Model (1-2-3)
Sometimes it pays to be a laggard.
One good starting point for more information on the capability model tool is guidance from the Internal Audit Foundation (Institute for Internal Auditors). The Internal Audit Capability Model (IA-CM) for the Public Sector describes the tool and provides tips for how to apply it. As with most things, one size does not fit all and this will need to be tailored for use by OIGs. I have to warn you, though: it’s a little unsettling to see how many public sector auditing organizations around the world are already using this tool.
Step 1.
The first step is to describe and define the five capability levels. The common description of Level 5 (Optimized) is pretty universal. Common descriptions of Levels 3 and 4—Integrated and Managed/Measurable—are relatively non-controversial. It’s the description of Levels 1 and 2 that require more thought. Initial or ad-hoc are commonly used descriptions for Level 1, but they may not fit a particular OIG. Nobody wants to use a capability model that’s going to undermine the credibility of their work by connoting that the office is performing at a substandard level. The five levels are listed on the vertical axis of a matrix, from bottom (Level 1) to top (Level 5).
Step 2.
The next step is to describe and define the essential elements of an oversight and accountability function. These elements go at the horizontal axis at the top of the columns. These can include elements such as People Management, Project Management, Organizational Relationships, Internal Control, Planning and Coordination, Receiving and Reviewing Complaints, Communicating Results, Culture, Services, or more. The CIGIE Quality Standards for Offices of Inspectors General is a good place to start. Too many elements will make the matrix unwieldy. Too few will make it incomplete.
Step 3.
The final step is to identify Key Process Areas for each box in the matrix. This is most challenging step. It’s similar to the process used to create employee performance standards. You need to identify relevant activities, outputs and outcomes. This requires organizational soul searching and visioning. Candid feedback from employees, senior agency officials, Congressional and other stakeholders may provide insights into expectation and capability gaps.
Below is a partial example. The essential elements along the horizontal axis are just for illustration purposes.
An OIG capability model can be an important governance tool for an OIG on the path to leading edge. It can also serve as a powerful change management tool, allowing staff and other stakeholder to visualize both incremental and transformational change. Just an idea to think about…