FEMA
Action Needed to Improve Administration of the National Flood Insurance Program Gao ID: GAO-11-297 June 9, 2011The National Flood Insurance Program (NFIP) has been on GAO's high-risk list since March 2006 because of concerns about its long-term financial solvency and related operational issues. Significant management challenges also affect the Federal Emergency Management Agency's (FEMA) ability to administer NFIP. This report examines (1) the extent to which FEMA's management practices affect the administration of NFIP; (2) lessons learned from the cancellation of FEMA's attempt to modernize NFIP's insurance management system; and (3) limitations on FEMA's authority that could affect NFIP's financial stability. To do this work, GAO reviewed internal control standards and best practices, analyzed agency documentation, reviewed previous work, and interviewed relevant agency officials.
FEMA faces significant management challenges in areas that affect NFIP, including strategic and human capital planning; collaboration among offices; and records, financial, and acquisition management. For example, because FEMA has not developed goals, objectives, or performance measures for NFIP, it needs a strategic focus for ensuring program effectiveness. FEMA also faces human capital challenges, including high turnover and weaknesses in overseeing its many contractors. Further, FEMA needs a plan that would ensure consistent day-to-day operations when it deploys staff to federal disasters. FEMA has also faced challenges in collaboration between program and support offices. Finally, FEMA lacks a comprehensive set of processes and systems to guide its operations, in particular a records management policy and an electronic document management system. FEMA has begun to address some of these challenges, including acquisition management, but the results of its efforts remain to be seen. Unless it takes further steps to address these management challenges, FEMA will be limited in its ability to manage NFIP's operations or better ensure program effectiveness. FEMA also faces challenges modernizing NFIP's insurance policy and claims management system. After 7 years and $40 million, FEMA ultimately canceled its latest effort (NextGen) in November 2009 because the system did not meet user expectations. As a result, the agency continues to rely on an ineffective and inefficient 30-year old system. A number of acquisition management weaknesses led to NextGen's failure and cancellation, and as FEMA begins a new effort to modernize the existing legacy system, it plans to apply lessons learned from its NextGen experience. While FEMA has begun implementing some changes to its acquisition management practices, it remains to be seen if they will help FEMA avoid some of the problems that led to NextGen's failure. Developing appropriate acquisitions processes and applying lessons learned from the NextGen failure are essential if FEMA is to develop an effective policies and claims processing system for NFIP. Finally, NFIP's operating environment limits FEMA's ability to keep the program financially sound. NFIP assumes all risks for its policies, must accept virtually all applicants for insurance, and cannot deny coverage for high-risk properties. Moreover, additional external factors--including lapses in NFIP's authorization, the role of state and local governments, fluctuations in premium income, and structural and organizational changes--complicate FEMA's administration of NFIP. As GAO has previously reported, NFIP also faces external challenges that threaten the program's long-term health. These include statutorily required subsidized premium rates, a lack of authority to include long-term erosion in flood maps, and limitations on FEMA's authority to encourage owners of repetitive loss properties to mitigate. Until these issues are addressed, NFIP's long-term financial solvency will remain in doubt. GAO makes 10 recommendations to improve the effectiveness of FEMA's planning and oversight efforts for NFIP; improve FEMA's policies and procedures for achieving NFIP's goals; and increase the usefulness and reliability of NFIP's flood insurance policy and claims processing system. GAO also presents three matters for congressional consideration to improve NFIP's financial stability. DHS concurred with all of GAO's recommendations.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Orice Williams Brown Team: Government Accountability Office: Financial Markets and Community Investment Phone: (202) 512-5837GAO-11-297, FEMA: Action Needed to Improve Administration of the National Flood Insurance Program
This is the accessible text file for GAO report number GAO-11-297
entitled 'FEMA: Action Needed to Improve Administration of the
National Flood Insurance Program' which was released on June 9, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to Congressional Committees:
June 2011:
FEMA:
Action Needed to Improve Administration of the National Flood
Insurance Program:
GAO-11-297:
GAO Highlights:
Highlights of GAO-11-297, a report to congressional committees.
Why GAO Did This Study:
The National Flood Insurance Program (NFIP) has been on GAO‘s high-
risk list since March 2006 because of concerns about its long-term
financial solvency and related operational issues. Significant
management challenges also affect the Federal Emergency Management
Agency‘s (FEMA) ability to administer NFIP. This report examines (1)
the extent to which FEMA‘s management practices affect the
administration of NFIP; (2) lessons learned from the cancellation of
FEMA‘s attempt to modernize NFIP‘s insurance management system; and
(3) limitations on FEMA‘s authority that could affect NFIP‘s financial
stability. To do this work, GAO reviewed internal control standards
and best practices, analyzed agency documentation, reviewed previous
work, and interviewed relevant agency officials.
What GAO Found:
FEMA faces significant management challenges in areas that affect
NFIP, including strategic and human capital planning; collaboration
among offices; and records, financial, and acquisition management. For
example, because FEMA has not developed goals, objectives, or
performance measures for NFIP, it needs a strategic focus for ensuring
program effectiveness. FEMA also faces human capital challenges,
including high turnover and weaknesses in overseeing its many
contractors. Further, FEMA needs a plan that would ensure consistent
day-to-day operations when it deploys staff to federal disasters. FEMA
has also faced challenges in collaboration between program and support
offices. Finally, FEMA lacks a comprehensive set of processes and
systems to guide its operations, in particular a records management
policy and an electronic document management system. FEMA has begun to
address some of these challenges, including acquisition management,
but the results of its efforts remain to be seen. Unless it takes
further steps to address these management challenges, FEMA will be
limited in its ability to manage NFIP‘s operations or better ensure
program effectiveness.
FEMA also faces challenges modernizing NFIP‘s insurance policy and
claims management system. After 7 years and $40 million, FEMA
ultimately canceled its latest effort (NextGen) in November 2009
because the system did not meet user expectations. As a result, the
agency continues to rely on an ineffective and inefficient 30-year old
system. A number of acquisition management weaknesses led to NextGen‘s
failure and cancellation, and as FEMA begins a new effort to modernize
the existing legacy system, it plans to apply lessons learned from its
NextGen experience. While FEMA has begun implementing some changes to
its acquisition management practices, it remains to be seen if they
will help FEMA avoid some of the problems that led to NextGen‘s
failure. Developing appropriate acquisitions processes and applying
lessons learned from the NextGen failure are essential if FEMA is to
develop an effective policies and claims processing system for NFIP.
Finally, NFIP‘s operating environment limits FEMA‘s ability to keep
the program financially sound. NFIP assumes all risks for its
policies, must accept virtually all applicants for insurance, and
cannot deny coverage for high-risk properties. Moreover, additional
external factors”-including lapses in NFIP‘s authorization, the role
of state and local governments, fluctuations in premium income, and
structural and organizational changes-”complicate FEMA‘s
administration of NFIP. As GAO has previously reported, NFIP also
faces external challenges that threaten the program‘s long-term
health. These include statutorily required subsidized premium rates, a
lack of authority to include long-term erosion in flood maps, and
limitations on FEMA‘s authority to encourage owners of repetitive loss
properties to mitigate. Until these issues are addressed, NFIP‘s long-
term financial solvency will remain in doubt.
What GAO Recommends:
GAO makes 10 recommendations to improve the effectiveness of FEMA‘s
planning and oversight efforts for NFIP; improve FEMA‘s policies and
procedures for achieving NFIP‘s goals; and increase the usefulness and
reliability of NFIP‘s flood insurance policy and claims processing
system. GAO also presents three matters for congressional
consideration to improve NFIP‘s financial stability. DHS concurred
with all of GAO‘s recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-11-297] or key
components. For more information, contact Orice Williams Brown at
(202) 512-8678 or williamso@gao.gov.
[End of section]
Contents:
Letter1:
Background:
Opportunities Exist to Improve FEMA's Management of NFIP:
Acquisition Management Weaknesses Led to Cancellation of NFIP's System
Modernization Project and Offer Lessons for Future Modernization
Efforts:
NFIP's Operating Environment and External Factors Complicate
Administration of the Program, and FEMA Lacks Authority in Areas
Critical to Its Long-term Financial Health:
Conclusions:
Recommendations for Executive Action:
Matters for Congressional Consideration:
Agency Comments and Our Evaluation:
Appendix I: Objective, Scope, and Methodology:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contact and Staff Acknowledgments:
Related GAO Products:
Table:
Table 1: Summary of NextGen Application Test Plans' Satisfaction of
Key Elements of Relevant Guidance:
Figure:
Figure 1: FEMA Organizational Chart:
Abbreviations:
ARB: Acquisition Review Board:
CFO: Chief Financial Officer:
CIO: Chief Information Officer:
COTR: Contracting Officer's Technical Representative:
C&A: certification and accreditation:
DHS: Department of Homeland Security:
FEMA: Federal Emergency Management Agency:
FIMA: Federal Insurance and Mitigation Administration:
FISMA: Federal Information Security Management Act of 2002:
FREE: Flood Rating Engine Environment:
F2M: Flood Financial Management:
GIS: Geospatial Information System:
GPRA: Government Performance and Results Act of 1993:
IFMIS: Integrated Financial Management Information System:
IT: information technology:
NAPA: National Association of Public Administration:
NARA: National Archives and Records Administration:
NextGen: Next Generation Flood Insurance Management System:
NFIP: National Flood Insurance Program:
OCAO: Office of the Chief Administrative Officer:
OCCHCO: Office of the Chief Component Human Capital Officer:
OCFO: Office of the Chief Financial Officer:
OCIO: Office of the Chief Information Officer:
OCPO: Office of the Chief Procurement Officer:
OIG: Office of the Inspector General:
OPPA: Office of Policy and Program Analysis:
PFT: permanent full-time:
PKEMRA: Post-Katrina Emergency Management Reform Act of 2006:
PRP: Preferred Risk Policy:
RiskMAP: Risk Mapping Assessment and Planning:
SFHA: special flood hazard area:
SQANet: Simple and Quick Access Net:
Treasury: Department of the Treasury:
TRRP: Transaction Record Reporting Process:
WYO: write your own:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
June 9, 2011:
The Honorable Tim Johnson:
Chairman:
The Honorable Richard C. Shelby:
Ranking Member:
Committee on Banking, Housing and Urban Affairs:
United States Senate:
The Honorable Spencer Bachus:
Chairman:
The Honorable Barney Frank:
Ranking Member:
Committee on Financial Services:
House of Representatives:
The National Flood Insurance Program (NFIP), which is administered by
the Federal Emergency Management Agency (FEMA) within the Department
of Homeland Security (DHS), is a key component of the federal
government's efforts to minimize the damage and financial impact of
floods and is the only source of insurance against flood damage for
most residents of flood-prone areas. Until 2004, NFIP was able to
cover most of its claims with premiums it collected and occasional
loans from the Department of the Treasury (Treasury) that were repaid.
However, after the 2005 hurricanes--primarily Hurricane Katrina--the
program borrowed $16.8 billion from Treasury to cover the
unprecedented number of claims. NFIP has subsequently borrowed
additional funds from Treasury to make interest payments on this debt
and, as of March 2011, owed approximately $17.8 billion. Because of
structural weaknesses in the way the program is funded and operated,
NFIP is unlikely to be able to repay this debt in the near future, if
ever.
As a result of the program's importance, level of indebtedness, and
potential for future losses, we placed NFIP on our high-risk list in
March 2006.[Footnote 1] In earlier reports, we identified a number of
operational challenges that hindered FEMA's ability to effectively
administer NFIP and contributed to NFIP's placement on the list. For
example, we found internal control weaknesses in FEMA's oversight of
the write-your-own (WYO) insurers that are key to NFIP operations and
that have received payments representing one-third to two-thirds of
the premiums collected. We also found problems with the oversight of
contractors responsible for performing key NFIP functions such as
collecting NFIP data and marketing the program.
Because of the risks and challenges facing NFIP and the financial and
operational weaknesses we had identified, we undertook a review to
look for potential underlying management weaknesses that, if
addressed, might improve the operation and functioning of the program.
Specifically, our objectives were to (1) analyze the extent to which
FEMA's key management practices--including strategic planning, human
capital planning, intra-agency collaboration, records management,
financial management, and acquisition management--affect the agency's
ability to administer NFIP; (2) identify lessons to be learned from
the cancellation of its most recent attempt to modernize NFIP's flood
insurance policy and claims processing system, including to what
extent key acquisition management processes were followed; and (3)
describe factors that are relevant to NFIP operations and analyze
limitations on FEMA's authority that could affect its financial
stability.
To address these objectives, we collected available data from FEMA and
conducted over 80 interviews with representatives from FEMA and their
relevant bureaus or divisions. We also interviewed representatives of
DHS's Office of the Inspector General, the National Association of
Public Administration (NAPA), and KPMG LLP. These interviews allowed
us to gather further insights into management challenges that affect
NFIP.[Footnote 2] In addition, we analyzed planning documents,
policies, directives, materials, and data related to program, human
capital, records, acquisition, and financial management. In the areas
of human capital and financial management, we assessed the data
provided to us and found it to be sufficiently reliable for the
purposes of our report. The remaining audit work did not require a
data assessment. Further, we reviewed relevant legislation, internal
control standards, best practices, and external studies of FEMA's
management challenges. We compared the information we obtained on
NFIP's policies and procedures to relevant criteria developed by GAO
and others. To determine the lessons to be learned from the
NextGeneration Flood Insurance Management System (NextGen) program's
cancellation and to what extent key acquisition management processes
were followed on NextGen, we analyzed a range of program documentation
and interviewed cognizant program and contractor officials relevant to
the following acquisition management disciplines: requirements
development and management, test management, risk management, program
oversight, and human capital management. For each discipline, we
compared key program documentation, such as the concept of operations
document; test plans for functional, regression, and usability
testing; and NextGen application summary test reports, and risk
management and program management plans. To identify external factors
that affect NFIP's ability to carry out its mission, we reviewed our
previous reports that analyzed various aspects of NFIP's policies,
practices, and organizational structure, identifying factors that
affected NFIP's operations but over which NFIP did not have control.
To determine whether and to what extent the factors identified in
these reports were still affecting NFIP's operations, and to identify
any additional factors, we interviewed knowledgeable FEMA
representatives and reviewed relevant testimony of FEMA officials
before Congress. Appendix I provides additional details about our
scope and methodology.
We conducted this performance audit from July 2009 to June 2011 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. The evidence
we obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Background:
Overview of the National Flood Insurance Program:
The National Flood Insurance Act of 1968 established NFIP as an
alternative to providing direct disaster relief after floods.[Footnote
3] NFIP, which makes federally backed flood insurance available to
homeowners and businesses, was intended to reduce the federal
government's escalating costs for repairing flood damage after
disasters. Floods are the most common and destructive natural disaster
in the United States. In fact, according to NFIP statistics, 90
percent of all national disasters in the United States have involved
flooding. However, flooding is generally excluded from homeowners'
policies that typically cover damages from other losses, such as wind,
fire, and theft. Because of the catastrophic nature of flooding and
the inability to adequately predict flood risks, historically, private
insurance companies have largely been unwilling to underwrite and bear
the risk that results from providing primary flood insurance coverage.
Under NFIP, the federal government assumes the liability for the
insurance coverage and sets rates and coverage limitations, among
other responsibilities, while the private insurance industry sells the
policies and administers the claims for a fee determined by FEMA.
As of January 2011, 21,361 communities across the United States and
its territories participated in NFIP by adopting and agreeing to
enforce state and community floodplain management regulations to
reduce future flood damage. In exchange, NFIP makes federally backed
flood insurance available to homeowners and other property owners in
these communities. Homeowners with mortgages from federally regulated
lenders on property in communities identified to be in high-risk
special flood hazard areas (SFHA) are required to purchase flood
insurance on their dwellings for at least the outstanding mortgage
amount. Optional lower-cost coverage is also available under NFIP to
protect homes in areas of low to moderate risk. To insure furniture
and other personal property items against flood damage, homeowners may
purchase separate NFIP personal property coverage. Although premium
amounts vary according to the amount of coverage purchased and the
location and characteristics of the insured property, the average
yearly premium was around $620 as of October 2010.[Footnote 4]
NFIP is designed to pay operating expenses and flood insurance claims
with premiums collected on flood insurance policies rather than with
tax dollars. However, FEMA has statutory authority to borrow funds
from Treasury to keep NFIP solvent in years when losses are high.
NFIP, by design, is not actuarially sound because Congress authorized
subsidized insurance rates to be made available for policies covering
certain structures to encourage communities to join the program. As a
result, NFIP is not able to build reserves to cover losses that exceed
the historic averages.
Management of the National Flood Insurance Program:
NFIP is managed by FEMA's Federal Insurance and Mitigation
Administration (FIMA), with administrative support from FEMA's Mission
Support Bureau (see figure 1). DHS provides management direction by
issuing guidance and working to integrate its various management
processes, systems, and staff within and across its management areas.
[Footnote 5] Around 330 FEMA employees, assisted by contractor
employees, manage and oversee NFIP and the National Flood Insurance
Fund, into which premiums are deposited and from which claims and
expenses are paid. Their management responsibilities include
establishing and updating NFIP regulations, analyzing data to
determine flood insurance rates, and offering training to insurance
agents and adjusters. In addition, FIMA and its program contractors
are responsible for monitoring and overseeing the performance of the
WYO insurance companies to help ensure that NFIP is administered
properly.[Footnote 6]
FIMA receives administrative and management support as well as
direction on program operations from FEMA's Mission Support Bureau
offices, including the Office of the Chief Administrative Officer
(OCAO), Office of the Chief Component Human Capital Officer (OCCHCO),
Office of the Chief Financial Officer (OCFO), Office of the Chief
Information Officer (OCIO), and Office of the Chief Procurement
Officer (OCPO).[Footnote 7] In addition, FEMA's Office of Policy and
Program Analysis (OPPA) serves a collaborative support role to provide
leadership, analysis, coordination, and decision-making support on
agency policies, plans, programs, and key initiatives. While Mission
Support and OPPA provide important services to FIMA, their
responsibilities do not include comprehensive oversight of FIMA or
NFIP.
Figure 1: FEMA Organizational Chart:
[Refer to PDF for image: organizational chart]
Top level:
Department of Homeland Security (DHS).
Second level reporting to DHS:
Federal Emergency Management Agency (FEMA).
Third level, reporting to FEMA:
Office of the Chief Financial Officer;
Office of Equal Rights;
Office of External Affairs;
Office of Disability Integration and Coordination;
Office of REgional Operations;
Law Enforcement Advisor;
Office of Policy and Program Analysis.
Fourth level, reporting to FEMA (support services):
Regions I-X;
U.S. Fire Administration;
Response and Recovery;
Protection and National Preparedness;
Mission Support Bureau:
- Office of the Chief Administrative Officer (OCAO);
- Office of the Chief Component Human Capital Officer (OCCHCO);
- Office of the Chief Information Officer (OCIO);
- Office of the Chief Procurement Officer (OCPO);
- Office of the Chief Security Officer (OCSO);
Federal Insurance and Mitigation Administration (FIMA); FIMA is
responsible for administering NFIP:
- Office of Environmental Planning and Historic Preservation;
- Regional Operations Regional and Disaster Support Branch;
- Policy, Resources, and Communication Branch;
- Risk Analysis Division;
- Risk Insurance Division;
- Risk Reduction Division.
Source: GAO.
[End of figure]
Opportunities Exist to Improve FEMA's Management of NFIP:
We found a number of management practices that could be improved to
help FEMA more effectively administer NFIP. First, FEMA has not
provided FIMA with strategic direction and guidance for administering
NFIP and therefore lacks the starting point necessary to develop
performance measures for assessing the program's effectiveness.
Second, FEMA faces a number of human capital challenges, including
developing a strategic human capital plan that addresses mitigating
high turnover, hiring, and overseeing contractors that play a key role
in NFIP. Moreover, it has yet to adequately address managing the day-
to-day operations when deploying staff to respond to federal
disasters. Third, collaboration among offices within FEMA that are
responsible for administering NFIP has at times been ineffective,
leading to challenges in effectively carrying out some key functions.
In particular, FIMA, the office that administers NFIP, and FEMA
Mission Support, which provides mission-critical functions such as
information technology (IT), acquisition, and financial management,
have had difficulties collaborating on these functions. Finally, FEMA
does not have a comprehensive set of policies, procedures, and systems
to guide its operations. Specifically, it lacks an updated records
management policy, procedures to effectively manage unliquidated
obligations, and a fully developed and implemented documentation of
its business processes. FEMA has begun taking steps to improve its
acquisition management and document some of its business processes,
but as they were recently implemented or still in progress, the
results of these efforts have yet to be realized. Unless it takes
further steps to address these management challenges, FEMA will be
limited in its ability to manage NFIP's operations or ensure program
effectiveness.
A More Comprehensive Strategic Framework Would Improve FEMA's
Administration of NFIP:
FEMA published its most recent agencywide strategic plan in February
2011, but the plan did not clearly lay out how and where NFIP's
mission and activities fit within FEMA's own goals and
objectives.[Footnote 8] The Government Performance and Results Act of
1993 (GPRA) requires agencies to submit a strategic plan containing a
number of components, including a comprehensive mission statement,
long-term goals and objectives for major operations, and strategies
for achieving these goals and objectives.[Footnote 9] Further, we have
reported that an agency's strategic planning effort is the most
important element in results-oriented management and serves as the
foundation for defining what the agency seeks to accomplish,
identifying strategies to achieve desired results, and determining how
well it succeeds in reaching its goals and objectives.[Footnote 10]
Leading results-oriented organizations focus on the dynamic and
inclusive process of strategic planning, rather than on a strategic
planning document, to provide a foundation for day-to-day activities
and foster communication between the organization and its
stakeholders. Moreover, the committee report accompanying GPRA stated
that clear and precise goals enable an organization to maintain a
consistent sense of direction regardless of the leadership changes
that can occur frequently across the federal government.[Footnote 11]
NFIP is a major operation with $1.2 trillion in coverage and $17.8
billion in debt that has remained on GAO's high-risk list since 2006.
FEMA officials told us that FEMA chose not to prescribe goals and
objectives for specific programs in its strategic plan as required by
GPRA. They said that the agency chose a different strategic approach
that would allow for more flexibility, something that was needed
because FEMA must respond to emergencies as they occur. While FEMA may
require flexibility in its operating environment, as a federal
insurance program NFIP requires a more structured framework to help
ensure that its operations are properly managed and allow for the
development of effective performance measures. Unless FEMA provides
FIMA with strategic direction and guidance for administering NFIP, the
program risks not having a strategic focus that is aligned with agency
goals and objectives or effective performance measures.
FIMA officials told us they were in the process of developing a
strategy for mitigation and insurance but did not provide a specific
timeline for completing or implementing it and did not provide details
of what it might include. FIMA officials said they began developing
the strategy in June 2010 and had created a steering committee with
about 15 members representing various areas within FIMA. The committee
held a summit with a number of stakeholders in November 2010 to
validate the proposed mission, goals, and objectives of the
organization before entering the drafting process and expect to
eventually publish the final strategy in the summer of 2011. Because
these efforts have not yet been completed, whether the strategy will
include adequate goals and objectives for administering and managing
NFIP remains to be seen. Without goals and objectives and a firm
timeline for completing them, NFIP will continue to lack a strategic
direction.
FIMA officials said they had relied on other documents for strategic
guidance, including FEMA-and DHS-level guidance and the agency's
general mission--managing risks from all natural hazards to help free
America from the burden of such disasters. However, without specific
agency-or program-level goals, FIMA cannot ensure that any performance
measures it develops for NFIP properly and adequately measure the
program's success. According to GPRA, agencies should establish
performance indicators to be used in measuring and assessing the
relevant outputs, service levels, and outcomes of each program
activity. Moreover, GAO's Standards for Internal Control in the
Federal Government states that management should ensure that agencies
establish and review performance measures and indicators.[Footnote 12]
As we have reported, performance goals and measures that successfully
address important and varied aspects of program performance are key to
a results-oriented work environment.[Footnote 13] Measuring
performance allows organizations to track the progress they are making
toward their goals and gives managers critical information on which to
base decisions for improving their programs. We have also reported
that successful performance measures are, among other things, linked
to core program activities.[Footnote 14]
FIMA officials said that in recent years they had generally relied on
five performance measures for NFIP that they reviewed quarterly:
* Percentage of the U.S. population (excluding territories) covered by
local hazard mitigation plans that had been approved or were pending
adoption.
* Percentage of the national population whose safety had been improved
through the availability of flood risk data in Geospatial Information
System (GIS) format.
* Number of communities taking or increasing actions to reduce their
risk from natural disasters.
* Potential property losses, disasters, and other costs avoided.
* NFIP premium income per $100 dollars of combined operating expense
and historical losses paid.[Footnote 15]
However, FIMA recently revised its operating plan, which FIMA
officials said aligns resources to major activities and provides
transparency to FIMA's performance. In this revision, FIMA replaced
the five measures with 11 new performance measures aligned with DHS's
mission and relevant DHS goals. FIMA said that these measures are
still under development but that it began testing these measures in
fiscal year 2011 and plans to officially require and report them in
fiscal year 2012. They are grouped into three levels--strategic,
management, and activity--indicating how they are expected to be used
and which units will be gathering and reporting information in support
of these performance measures. The measures relate to a range of
FIMA's activities including mitigation effectiveness, mapping
progress, and NFIP operating efficiency.
However, FIMA has not had a set of strategic goals and objectives to
guide its administration of NFIP. FIMA officials plan to include long-
term goals and objectives in its upcoming strategic plan, but until
this plan is complete and effectively implemented, FIMA will continue
to be challenged by a lack of strategic focus and direction. Further,
FIMA officials will be limited in their ability to understand and
assess their effectiveness in administering NFIP and properly allocate
its resources. Further, without a strategic plan specific to FIMA that
incorporates specific goals and objectives for NFIP, determining
whether FIMA's performance measures are aligned with and appropriately
support FEMA's goals for NFIP is not possible. Without a robust set of
goals and performance measures that are aligned and appropriately
supported, FIMA is limited in its ability to monitor and hold
management and staff accountable for program performance and take
corrective actions as needed.
FEMA Lacks a Strategic Human Capital Plan That Meets Statutory
Requirements and Addresses the Agency's Human Capital Challenges,
Including Those Affecting NFIP:
The Post-Katrina Emergency Management Reform Act of 2006 (PKEMRA)
required FEMA to develop a strategic human capital plan that included
an assessment of the critical skills and competencies required for its
workforce.[Footnote 16] While FEMA developed a 2008-2012 Strategic
Human Capital Plan, we found that the plan did not meet PKEMRA's
requirements. PKEMRA required that the plan include an assessment of
(1) the critical skills and competencies that would be needed in the
workforce during the 10-year period after the law was enacted; (2) the
skills and competencies of the FEMA workforce and projected trends in
that workforce based on the expected losses due to retirement and
other attrition; and (3) staffing levels for each category of employee
and gaps that should be addressed to ensure that FEMA has continued
access to the necessary critical skills and competencies. In addition,
PKEMRA requires FEMA to develop a "Plan of Action" to address gaps in
critical skills and competencies, including:
* specific goals and objectives for recruiting and retaining
employees, such as recruitment and retention bonuses;
* specific strategies and program objectives to develop, train,
deploy, compensate, motivate, and retain employees;
* specific strategies for recruiting staff with experience serving in
multiple state agencies responsible for emergency management; and:
* specific strategies to develop, train, and rapidly deploy a surge
capacity force.
FEMA's plan--including a 2010 Human Capital Operational Plan--did not
address all PKEMRA requirements. For example, it did not define the
critical skills and competencies that FEMA would need in the coming
years or provide specific strategies and program objectives to
motivate, deploy, and retain employees, among other things. In an
October 2009 report, NAPA also stated that FEMA's plan did not meet
certain PKEMRA requirements, which the report described as being
focused on understanding and planning for the current and future
workforce. NAPA also recommended that FEMA strengthen its human
capital planning.[Footnote 17] One NAPA official noted that the 2008-
2012 Strategic Human Capital Plan is essentially a "plan to develop a
workforce plan."
We have noted in previous work that agencies should develop human
capital strategies--including succession planning, training, and staff
development--to eliminate gaps between current skills and competencies
needed for mission success.[Footnote 18] FEMA's human capital plan
does not have strategies to address retention challenges or
contractors, among other things. For example, FEMA experiences
frequent turnover in key positions and divisions that can result in
lost productivity, a decline in institutional knowledge, and a lack of
continuity for remaining staff. Within the past several years, key
leadership has also changed within several key FEMA offices that
support FIMA in some NFIP activities. For example OCCHCO has hired its
third chief in the last 2 years. Further, FEMA has experienced
turnover in several of the offices that provide critical mission
support services to NFIP. For example, OCPO, which had 88 permanent
full-time (PFT) staff at the beginning of FY 2007, had lost 59
employees as of August 2010. FEMA staff told us the high turnover had
resulted in the loss of institutional knowledge, specialized skills,
and management continuity and efficiency.
FEMA also faces challenges in hiring, which has been a major focus of
its workforce operations. As of the third quarter of fiscal year 2010,
approximately 876 of FEMA's 4,916 funded positions were unfilled.
Further, both FEMA program officials and OCCHCO, which screens
candidates, said that OCCHCO often sent candidates without the
requisite skills forward to the program offices that typically make
the final hiring decisions. OCCHCO officials told us that in several
instances program offices had not properly aligned announcements and
position descriptions, so that candidates appearing to meet the
requirements of the position description did not meet the actual
requirements of the position. OCCHCO officials added they were working
to improve the situation.
FEMA also lacks accurate data on its current staffing levels, largely
because of IT issues, exacerbating the difficulties of workforce
planning. In a 2009 review of OCCHCO, NAPA found that frequent
shifting of organizational resources over the previous 6 years, the
lack of a single system to track and account for the workforce,
complexities associated with tracking multiple workforce categories,
and problems with FEMA's human resource management system had hindered
efforts to obtain complete and accurate human capital data for review.
[Footnote 19] According to NAPA, these shortcomings had significant
consequences in 2009, when FEMA established an informal hiring freeze
because the number of staff hired exceeded authorized levels. In 2010,
the Homeland Security Studies and Analysis Institute also found a
discrepancy of around 700 filled positions between FEMA's manpower
database and National Finance Center data.[Footnote 20] The institute
found that the two most common discrepancies in employee data were
errors involving on the employees' work unit and activities. OCCHCO
officials said they had also experienced difficulties with human
resource management systems. Most recently, in 2010 DHS deployed the
Talent Link system to manage its human resource needs, but the system
was found to be incompatible with government human resource systems
and processes. As a result, a few months after Talent Link was
deployed DHS phased it out and moved FEMA to the USA Staffing system.
In addition, in spite of the importance of the work of contractors to
NFIP's activities, FEMA does not centrally track the number of
contractors or the type of work they do. For example, FIMA staff
estimated that one of its divisions had as many as 10 contractors per
FIMA staff member, and other FEMA staff said that they were unable to
estimate the number of contractors. According to a FEMA Workforce
Baseline Assessment conducted by the Homeland Security Studies and
Analysis Institute, examining the federal workforce alone cannot fully
assess FEMA's full human capital capability.[Footnote 21] The
assessment went on to note that contract support must be considered in
any discussion of FEMA staffing because contractors do not just
supplement staff efforts but perform a substantial amount of FEMA's
work. Unless FEMA tracks its contractors, it is severely limited in
its ability to assess the total workforce and their respective roles
and to plan for future staffing needs. However, pursuant to the
Consolidated Appropriations Act of 2010, the head of DHS, which
includes FEMA, is now required to prepare an annual inventory of
service contracts it awards or extends through the exercise of an
option.[Footnote 22] The initial inventory was due not later than
December 31, 2010, and annually thereafter. As part of the inventory,
DHS must include the number and work location of contractor and
subcontractor employees expressed as full-time equivalents for direct
labor, compensated under the contract.[Footnote 23]
FEMA told us it had begun developing an initial workforce assessment
that it planned to complete in 2012, but the agency is uncertain
whether it will include contractors in this study. According to FEMA
staff, a new strategic human capital plan is also under review, and
therefore, FEMA could not provide us with a copy. As a result, we were
unable to determine whether it addressed PKEMRA's requirements and the
human capital challenges that NFIP faces. Without a human capital plan
that, at a minimum, meets PKEMRA's requirements, includes a
comprehensive workforce assessment that identifies staffing and skills
requirements, addresses turnover and staff vacancies, and analyzes the
use of contractors, FEMA will continue to have difficulty hiring and
retaining staff and managing its contractors.
Neither FEMA nor FIMA Has a Plan to Ensure That Key NFIP Operations
Are Maintained When Staff Are Deployed During a Disaster:
As we have previously reported, neither FEMA nor FIMA has a plan to
help ensure that agency operations, including NFIP's, are maintained
when a federal disaster is declared and staff are required to respond
to it.[Footnote 24] Without such a plan, FEMA faces the risk that some
critical day-to-day functions may not be performed while staff are
deployed, limiting the agency's ability to provide the necessary
support for disaster relief missions. In addition to their
responsibilities for day-to-day operations, FEMA employees are also
expected to be on call during disasters for potential assignment to
disaster-related activities, including deployment to field operations.
FEMA staff told us that neither FIMA nor FEMA had a program-specific
or agencywide plan that covered all of its staff and functions,
including NFIP. According to a FEMA official, while program offices
have some ability to make decisions about how many mission-critical
staff to deploy to the field during a disaster and how many to keep in
their office positions, the current administrator has made it clear
that when a disaster hits, the priority is to deploy staff to the
field.
As was the case with Hurricane Katrina, FEMA staff can be deployed for
weeks or months and, during that time, are often performing duties in
the field that take them away from their day-to-day responsibilities.
According to a recent study by the Homeland Security Studies and
Analysis Institute, FEMA staff found that operating normally during
and immediately after a disaster was problematic due to staff
deployment and an increased workload due to the disaster.[Footnote 25]
For this reason, planning for business continuity management and
deployment planning are particularly important for the agency.
[Footnote 26] We previously reported that FEMA did not have guidelines
on what constitutes a mission-critical position, had not conducted an
assessment of the minimum level of support that would be necessary to
keep the agency fully operational, and thus had limited guidelines for
deciding who should be deployed.[Footnote 27] In addition, the report
found that nearly 57 percent of FEMA's permanent employees who are
deployable do not have assigned deployment job titles or roles that
would facilitate deployment during a disaster. Without a plan for
deploying staff during a disaster, FEMA faces the risk that critical
functions, such as managing NFIP operations, may not be performed
while staff are deployed to the field during a natural disaster,
increasing the likelihood that the agency will be unable to provide
the necessary support for disaster relief missions.
Instances of Ineffective Collaboration between FIMA and Mission
Support Have Complicated FEMA's Administration of NFIP:
FIMA relies on Mission Support for a variety of mission-critical
functions, including IT, acquisition, and financial management, but
FIMA and Mission Support have faced challenges in collaborating with
one another. In our prior work, we have identified eight practices
that agencies can use to enhance and sustain their collaborative
efforts:
* Define and articulate a common outcome.
* Establish mutually reinforcing or joint strategies.
* Identify and address needs by leveraging resources.
* Agree on roles and responsibilities.
* Establish compatible policies, procedures, and other means to
operate across agency boundaries.
* Develop mechanisms to monitor, evaluate, and report on results.
* Reinforce agency accountability for collaborative efforts through
agency plans and reports.
* Reinforce individual accountability for collaborative efforts
through performance management systems.[Footnote 28]
While these practices were originally developed for collaboration
among federal agencies, they can apply to collaboration between FIMA
and the offices that support it.
Information Technology Systems Were Developed without Full
Collaboration between FIMA and the Office of the Chief Information
Officer:
OCIO's stated function is to assist FEMA offices in IT development and
to help ensure they follow the agency's established processes for IT
system implementation. However, FIMA and OCIO faced challenges in
agreeing on roles and responsibilities and establishing mutually
reinforcing or joint strategies. For example, FIMA officials said they
had experienced difficulty in the past getting timely approvals from
OCIO for IT programs and contracts for NFIP and had sought ways to
streamline the process, including using contractors rather than OCIO
staff. FIMA officials also said that OCIO's certification and
accreditation (C&A) process--which determines whether systems are
certified to become operational--could be lengthy. They said they had
to wait months for C&A approval for at least two mission-critical
systems, one of which had been held up for about 9 months as of
February 2010. One official said this problem had arisen because the
C&A process lacked a formalized structure and communication between
FIMA and OCIO was inadequate. OCIO officials acknowledged that some
communication problems existed and said they were aware of FIMA's
concerns. OCIO's primary concern, however, was that at times FIMA
would perform IT functions independently from OCIO and believed that
involving OCIO would help streamline IT development. For example, an
OCIO official said that assessing and approving a $1 million
investment would require 30 to 45 days.
OCIO officials also said that 95 percent of FEMA's known systems were
certified but noted that other systems, including some of FIMA's that
affect NFIP, might have been developed independently of OCIO and thus
lacked its approval. For example, in the past year OCIO discovered
five FEMA human resources programs that were developed without its
knowledge or involvement. OCIO now requires that all systems on FEMA's
network complete the C&A process and be approved by the CIO, because
undocumented systems can create risks that are difficult to correct.
In accordance with the Federal Information Security Management Act of
2002 (FISMA), OCIO is creating an inventory of IT systems for each of
FEMA's offices. OCIO officials said that once the portfolio lists had
been verified, OCIO would address the backlog of pending C&As. FEMA
also developed an Acquisition Review Board (ARB) to help ensure that
IT systems within the agency are developed with the CIO's involvement,
because the acquisition system requires the CIO's approval at key
points in the IT development process.
OCIO is also taking steps to improve collaboration with FEMA's program
offices, but it is too early to determine if the issues with FIMA have
been fully addressed. For example, in January 2008 OCIO began
assigning a customer advocate to each program office to help it better
understand the IT needs of FEMA's program offices and to act as
liaisons. The customer advocates are responsible for understanding all
of the systems that are needed to support their assigned program
offices and for regularly updating the CIO. FIMA's customer advocate
said he met frequently with FIMA officials to resolve IT issues that
arose and he was aware of only one major issue--the need to replace
the legacy policy and claims processing system. While FIMA officials
have mentioned a number of processes that could benefit from greater
automation, including document management and budget formulation, it
is unclear whether they have communicated these needs to their
customer advocate. Until cooperation between FIMA and OCIO improves,
FEMA will be unable to ensure that FIMA's and NFIP's IT needs are
adequately met.
FIMA and the Office of the Chief Procurement Officer Have Differed on
Implementing a Policy for Small Business Contracts:
FEMA has exceeded its goals for awarding contracts to small
businesses, but FIMA and OCPO have differed on the question of how the
policy for setting aside these contracts should be implemented. The
federal government's goal for participation by small business concerns
is at least 23 percent of the total dollar value of all prime contract
awards for each fiscal year. By comparison, FEMA's fiscal year 2010
goal of 31.9 percent was higher because, according to OCPO officials,
DHS noticed that FEMA was exceeding its previous targets and wanted to
provide incentives for continuing to exceed them.[Footnote 29] In
general, before setting aside a contract for competition among small
businesses, an agency must conduct market research to determine
whether there is a reasonable expectation of obtaining offers from at
least two small businesses that could meet the contract's
requirements. OCPO officials make this determination within FEMA. If
the program office objects to the decision, OCPO generally asks the
office to support its position. If a disagreement persists, the Head
of Contracting Activity has traditionally resolved the disagreement
informally.[Footnote 30] No formal process exists for resolving these
disagreements or appealing decisions.[Footnote 31]
FIMA officials said that in several instances the use of small
business contracts has caused inefficiencies for NFIP. According to
these officials, flood insurance work is better suited to large
businesses. For instance, in 2007 OCPO decided to split one of FIMA's
contracts--which covered many areas of NFIP, including marketing,
training, and data management--into five smaller contracts that were
more conducive to small business involvement. According to FIMA
officials, OCPO did not involve FIMA sufficiently in this decision and
did not sufficiently consider how it would affect FIMA, which would
need additional staff to monitor the contractors and would lose
experienced contractors. OCPO officials disagreed, noting, among other
things, that the requirements for each contractor were outlined in the
contract's solicitation and only contractors that could meet the
requirements were considered.[Footnote 32] No formal process exists
for resolving the disagreement, and whether OCPO effectively
communicated to FIMA how it could justify its position is unclear.
Such disagreements indicate a need for those involved to improve their
collaboration by establishing mutually reinforcing or joint strategies
to achieve common outcomes.
According to FIMA officials, these disagreements have created
inefficiencies that have required extra work to resolve--for instance,
lengthening the time required to complete certain processes.
Recognizing that it needed to improve its relationship with program
offices, OCPO management appointed an individual to reach out to and
help them recognize the value of OCPO's services. OCPO officials said
that program offices now understand they must work with OCPO, and OCPO
hopes to improve the relationship and help the program offices to
better understand how beneficial the procurement office can be. OCPO
officials said that the office now acts as an advocate for the program
offices to DHS and helps improve communication by explaining to
program offices the reasoning behind DHS's various requirements.
Without further improvements in this area, however, FEMA cannot fully
ensure that NFIP's acquisition needs are being met.
Coordination between the Office of the Chief Financial Officer and
FIMA on Budgetary Needs Was Limited:
FIMA and OCFO have not fully coordinated solutions to FIMA's budget
formulation process. FIMA officials said they could benefit from
greater automation of the budget formulation process, which currently
relies on FEMA's Integrated Financial Management Information System
(IFMIS). In particular, FIMA officials have said they need a system
for building their budget, a process that involves estimating expected
policy fee revenue and identifying and allocating funds from six
appropriations. OCFO currently provides FIMA with spreadsheets for
formulating the budget that contain templates for the spending plans
detailing the resources required to execute programs, projects, and
activities. OCFO officials acknowledged that the current process was
more time consuming and prone to data entry errors than an automated
system would be. FIMA officials noted that using these spreadsheets
was particularly challenging because of fluctuations in NFIP premium
revenues.
To address some of these concerns, OCFO developed an automated budget
formulation tool and is customizing it to meet the agency's needs.
OCFO expects that the new tool will act as an interface with its
current systems and ease budget formulation by eliminating the use of
spreadsheets and allowing FIMA and other program offices to develop
spend plans directly in the system. The tool became operational within
OCFO in March 2011, and OCFO plans to implement it FEMA-wide on a
rolling basis throughout fiscal year 2011 to allow time to train
staff. However, both OCIO and FIMA said they did not have adequate
input into the development of the new system, and the extent to which
OCFO ever defined and documented system needs and requirements is
unclear. In particular, FIMA officials said that OCFO may not have
fully understood FIMA's needs regarding formulation and execution of
NFIP's budget and the challenges created by fluctuating premium
revenues.
Officials from KPMG, the auditor retained by DHS, also said they had
noticed communication challenges within FEMA, particularly between
FIMA and OCFO. For instance, KPMG found that FIMA had changed its
method for estimating its deferred revenue, and as DHS reported in
2008, had not communicated this change to OCFO.[Footnote 33] While
KPMG reports that this condition was corrected in fiscal year 2009, to
prevent future problems the auditor recommended that FEMA develop
better methods of communicating such changes. KPMG also found that
FEMA had not completed its documentation of formal business policies
and procedures for several of the roles, responsibilities, processes,
and functions performed within FEMA.[Footnote 34] Without better
collaboration and communication between FIMA and OCFO, FEMA will be
unable to fully ensure that NFIP's financial and budgetary needs are
being met.
FEMA Lacks Electronic Systems and Related Policies That Could Improve
Its Administration of NFIP:
FEMA is a paper-based agency and has no centralized electronic
document management system that would allow its administrative,
regional, and program offices--including FIMA--to easily access and
store documents. According to the National Archives and Records
Administration (NARA), a record enters the document life cycle at its
creation and remains in the system through its use, maintenance, and
disposition.[Footnote 35] Records enable and support an agency's
ability to fulfill its mission, and because records contain
information, taking a systematic approach to managing them is
essential. According to NARA, effective records management helps
deliver services in a consistent and equitable manner; facilitates
effective performance throughout an agency; protects the rights of the
agency, its employees, and its customers; and provides continuity in
the event of a disaster. According to NARA, from a strategic
perspective, agencies lacking effective records management policies
and procedures can hinder their ability to respond swiftly to
opportunities, events, incoming requests, and investigations, and to
effectively implement policy. From an operational perspective, such
agencies may waste internal resources searching for or recreating
records, while at the same time incurring storage costs for records
that are not properly purged. From a regulatory standpoint, such
agencies can face fines, sanctions, and convictions from noncompliance
with federal statutes, rules, and regulations. Finally, from a legal
perspective, such agencies can use excessive time, costs, and
resources during discovery in order to retrieve needed materials from
poorly organized records.
According to a FEMA official, while there is broad consensus on the
need for a centralized electronic document management system,
currently no such system is in use. According to FEMA staff, FIMA has
electronic systems in place for claims processing and correspondence
recordkeeping, and FIMA's Risk Insurance Division has a system in
place that is used for document archiving for its division. FEMA's
Records Management Division told us it had instructed program offices
needing a records management system immediately to continue the use of
existing document management systems until DHS implements such a
system. However, the agency has no policies or procedures in place for
implementing such electronic systems. FEMA officials told us they had
not implemented an agencywide system, even on an interim basis,
because they were waiting for a decision from DHS on a centralized
system.
Further, FEMA lacks effective and systematic procedures to fully
ensure that it appropriately retains and manages its records.[Footnote
36] While DHS has an overall records management directive, FEMA's
agency-specific guidance is outdated. For example, the guidance does
not provide clear direction on electronic recordkeeping but does
contain direction on file cabinet sizes and the use of candles in file
rooms. FEMA Records Management officials were unable to tell us when
an updated directive would be forthcoming. FEMA officials also said
they had a plan for annually updating file plans that staff were
supposed to follow but did not have processes in place to ensure that
the plans actually were updated.[Footnote 37]
As result of this lack of updated policy and guidance, FEMA's
recordkeeping practices, which apply to NFIP, may not conform with the
requirements of federal records management laws and regulations and
may not adhere to Standards for Internal Controls in the Federal
Government, which state that management should ensure that relevant,
reliable, and timely information is available for decision making and
external reporting.[Footnote 38] For example, in our review, FEMA
staff told us they were storing documents using a system of file
rooms, personal file cabinets, and document-sharing software with
limited staff access. According to FIMA staff, documents can be
difficult to locate and at times have been lost or thrown away when
staff separate from the agency. FEMA staff also told us they had faced
decreased productivity due to lost packages, delays in budget
execution and policy decisions, destroyed documents, and duplicated
efforts. In addition, because FEMA staff are currently spread across
several different locations in the Washington, D.C., area and 10 field
offices across the country, progress in meeting NFIP goals can be
slowed by staff's inability to locate, transfer, and archive documents
across all of these locations.
FEMA has taken two actions that could help to ensure that its current
paper-based records are effectively managed. First, in fiscal year
2010 DHS required all staff to take records management training on
their individual responsibilities for maintaining agency records. FEMA
officials told us this training was the first of its kind that the
agency had offered. Second, FEMA has begun identifying staff to act as
records liaison officers in each program office. Records liaison
officers are responsible for helping ensure that records are kept in
accordance with the agency's file plan. Agency officials told us they
relied heavily on records liaison officers to provide oversight in
these areas. However, FEMA has not yet identified records liaison
officers for each section of the agency and has not yet conducted a
review or audit to fully ensure that records were being systematically
retained and managed. Until FEMA addresses the agency's immediate need
for a centralized document management system and develops effective
policies guiding the use of electronic systems, staff will continue to
face challenges maintaining records, affecting FEMA's ability to make
effective decisions and report accurately on its finances and
operations.
FEMA's Outdated Financial Management Systems and Processes Have
Created Challenges and Left Unliquidated Obligations Unresolved:
Our review of FEMA's financial management found that staff faced
multiple challenges in their day-to-day operations due to limitations
in the systems they must use to perform these operations. OCFO staff
told us that one of the greatest challenges they faced in carrying out
their financial management responsibilities was using unautomated and
often disparate systems. For example, they said that some of their
systems for invoicing, travel management, and debt collection did not
interface with FEMA's financial management system and, as a result,
they had to manually enter data in FEMA's system. In addition, OCFO
staff said that because their current travel management system was
difficult and time consuming to use, they employed a paper-based
process for staff travel. While FEMA has plans to implement a new
system, a FEMA official told us the new system would also be time
consuming to use--for example, it would not allow staff to process
multiple travel orders in a short period of time, as would be required
during emergency deployment. Finally, OCFO staff said that both the
current debt collection and Department of Justice grant systems for
nondisaster grants required that grant obligations be entered
manually. According to FEMA officials, DHS is currently in the process
of developing a DHS-wide grants management system; however, they
estimated the system would take roughly a few more years to fully
develop and implement.
The lack of automated systems for budget formulation and execution
helped to make these tasks two of its biggest challenges. As we have
seen, FIMA currently uses a system of spreadsheets to formulate fiscal
year budgets and to track overall budget expenditure and specific line-
item expenses. According to FIMA officials, spreadsheets can be
corrupted and data are prone to errors because staff work on multiple
versions. In addition, FIMA staff also told us they faced challenges
with the paper-based tracking of requisition orders, which are sent
between departments. In order to determine what was approved or not
approved in the system on a daily basis, staff must manually track
requisition packages through various offices. An agency official told
us that the risks associated with this paper-based process were high
and there had been instances in which packages were lost or signed for
by unauthorized staff. These issues have been raised in past audits by
the DHS's Office of the Inspector General (OIG).[Footnote 39] While
FIMA has begun to implement an automated tracking system, according to
FEMA staff, the process was delayed due to IT challenges.
We have previously reported on weaknesses in FEMA's financial
management processes.[Footnote 40] For example, we reported that
internal control weaknesses had impaired FEMA's ability to maintain
transaction-level accountability; that FEMA's broader oversight
structures such as WYO company audits, the triennial operational
reviews of WYOs, and FEMA's claims reinspection program were limited
in their effectiveness; and that FEMA's initiative to improve specific
internal control weaknesses and the overall NFIP environment has done
little to address many of the NFIP financial data deficiencies
highlighted by the 2005 Gulf Coast hurricanes. In addition, we
reported that the design of FEMA's financial reporting process
increased the risk of inaccurate or incomplete data because it did not
include transaction-level data and places an over reliance on manual
data entry. Furthermore, our testing of transactions from the Bureau
and Statistical Agent database found that many transactions either
lacked or had incomplete insured names, addresses, or policy effective
dates. As a result, we were unable to test the accuracy of reported
insured premium amounts or whether policy premium information was
complete.
Recent external audits of DHS's financial statements, performed by
KPMG, have also identified material weaknesses in the area of
unliquidated obligations.[Footnote 41] As of March 2011, FEMA had a
total of $3.3 million in unliquidated obligations for NFIP-related
funds that had been inactive for at least 5 years. According to a FEMA
official, around $3.0 million of these funds could potentially be
deobligated and used for new obligations consistent with the purposes
for which the funds were appropriated.[Footnote 42] According to GAO's
Standards for Internal Control in the Federal Government, transactions
should be promptly recorded to maintain their relevance and value to
management in controlling operations and making decisions. This
applies to the entire process or life cycle of a transaction or event
from the initiation and authorization through its final classification
in summary records." Further, "control activities help to ensure that
all transactions are completely and accurately recorded." In addition,
"internal control and all transactions and other significant events
need to be clearly documented, and the documentation should be readily
available for examination." All documentation and records should be
properly managed and maintained.
KPMG cited the unliquidated obligations issue as a material weakness
in 2008 and as a significant deficiency in the 2009 and 2010
Consolidated DHS Audits. According to a FEMA official, in 2009 the
agency issued an interim directive and procedures for addressing the
unliquidated obligations issue. For example, it has started to verify
the age of obligations older than 365 days and is working with points
of contacts in program offices to certify that the unliquidated
accounts are still open. However, OCFO told us that staff had sent
memos to FIMA regarding this issue but that FIMA staff responded they
were unaware of the amount of the unliquidated obligations and the
potential amount that might be returned to FIMA. Unless FEMA
implements processes to better monitor unliquidated obligations,
including within FIMA, it could lead to inaccurate financial
statements and affect DHS's overall budget.
FEMA Has Begun to Implement Changes in Its Acquisition Management
Activities but Needs to Complete Key Steps:
FEMA has also identified a number of weaknesses in its oversight and
management of acquisitions, and DHS and FEMA have taken a number of
steps to improve these functions. However, because many of these steps
have either been recently implemented or are still under development,
the extent to which they will improve FEMA's acquisition management
remains to be seen. FEMA's acquisition management has traditionally
been guided by DHS's investment review process, which had four main
objectives:
* Identify investments that perform poorly, are behind schedule or
over budget, or lack capability, so officials can identify and
implement corrective actions.
* Integrate capital planning and investment control with resource
allocation and investment management.
* Ensure that investment spending directly supports DHS's mission and
identify duplicative efforts for consolidation.
* Ensure that DHS conducts required management, oversight, control,
reporting, and review for all major investments.[Footnote 43]
FEMA performs three types of acquisition activities: (1) acquisition
programs, which typically provide a tangible capital asset; (2)
enterprise service contracts, which provide a service with a direct
impact on FEMA's ability to carry out its mission; and (3)
nonenterprise service contracts, which provide a service but do not
have a direct impact on FEMA's ability to carry out its mission.
Historically, some FEMA investments have been funded despite not
receiving adequate review or oversight. Most notably, the NextGen
system went forward without the necessary reviews and failed after 7
years and an investment of $40 million.[Footnote 44] Further, the $1
billion Risk Mapping Assessment and Planning (RiskMAP) program, which
is an effort to modernize flood hazard mapping, was funded without
receiving approval from the review board. OCPO officials said that
this former DHS review board did not sufficiently meet the
department's acquisition oversight needs, leading DHS to issue an
interim acquisition directive in November 2008 and a final directive
in January 2010.[Footnote 45] The directive provides an overall policy
and structure for acquisition management within DHS describing the
Acquisition Life Cycle Framework, Acquisition Review Process, and ARB,
and outlines management procedures and responsibilities related to
various aspects of acquisition.
Because the DHS acquisition directive allows its component agencies to
set internal acquisition processes and procedures as long as they are
consistent with the DHS directive, in August 2010 OCPO began drafting
its own acquisition directive and a handbook explaining how to
implement it. FEMA had circulated its directive, for comments, and
OCPO officials expect it will be completed within 30 days after
comments have been collected and incorporated.[Footnote 46]
One important component of acquisition management is reviewing
programs through an ARB. FEMA created its ARB in July 2009 and had
held four meetings as of January 2011. FEMA's ARB includes two co-
chairs (the Deputy Administrator and the Component Acquisition
Executive), representatives from FEMA's various program offices, heads
of Mission Support's various offices, and others. While FEMA can
choose to review any acquisition activity, it requires that certain
items be presented to the ARB, including all acquisition programs with
life cycle costs of more than $50 million and enterprise service
contracts with annual expenditures greater than $20 million.[Footnote
47] As of January 2011, DHS recognized nine FEMA programs requiring
FEMA ARB review.[Footnote 48] Seven of these--including the $1 billion
RiskMAP program--had gone through the FEMA ARB as of January 2011, and
FEMA plans to review the other two, as well as others, in fiscal year
2011. As it continues to review its portfolio of programs, it expects
to add additional programs to this list. In particular, OCPO is
examining FIMA's acquisition activities and considering adding NFIP
operations to its ARB list.
FEMA has also faced challenges in the acquisition and oversight of its
contractors, which are critical to NFIP. Both OCPO and FIMA officials
said there had been communication challenges between contracting
officers who were part of OCPO and Contracting Officer's Technical
Representatives (COTR) who report to the contracting officers but also
work in the program offices. OCPO officials said that many COTRs were
loyal to their program office and communicated with contracting
officers only when a problem arose. FIMA officials said that
contracting officers had at times been unresponsive to them,
particularly when reporting contractor discrepancies. Moreover, both
we and KPMG previously noted weaknesses in FEMA's oversight of
contractors. For example, we reported that a lack of monitoring
records, an inconsistent application of procedures, and a lack of
coordination diminished the effectiveness of FEMA's monitoring of NFIP-
related contracts.[Footnote 49] Further, KPMG officials said that FIMA
did not provide sufficient oversight of its contractors, something
that is of particular concern because FIMA has a relatively high
proportion of contractor staff. Moreover, DHS's OIG found that
acquisition personnel could not locate a number of contract files that
were part of its review including one for a $3 million flood risk
assessment contract.[Footnote 50] The report said that missing
contract files created uncertainties, including whether proper
contracting procedures were followed, contractors were held
accountable for goods and services, and tax dollars were appropriately
spent.
To correct some of its acquisition challenges, FEMA issued a directive
in September 2009 to clarify the roles, responsibilities, and
requirements of COTRs in contract administration.[Footnote 51] This
directive includes, among other things, a COTR Tiered Certification
Program consisting of credentialing and compliance, and FEMA plans to
train all of its COTRs to their appropriate certification levels by
March 2011. Providing further guidance, FEMA also issued a COTR
handbook in February 2009.[Footnote 52] Among other things, the
handbook includes training requirements, duties, monitoring and
surveillance procedures, and documentation requirements. In May 2010,
OCPO began a technical review of COTRs' Contract Administration Files
to better ensure that COTRs were adequately documenting their
contracts. OCPO officials also said that, realizing the importance of
outreach to FEMA's program offices, they had developed and funded a
"How to Work with Us" training course and held the agency's first
annual program management seminar. Moreover, officials from FIMA's
Risk Insurance Division said they had changed their process for
monitoring contractors, including requiring the contractors to submit
monthly monitoring reports. As we have seen, most of these actions are
relatively new, and some have not been fully implemented. While these
steps need to be taken, the extent to which they will ensure effective
oversight of FEMA's acquisition activities remains to be seen. Unless
FEMA sets a firm timeline for implementing these actions, the agency
will continue to have difficulty determining whether its acquisition
processes are cost-effective, particularly those involving contractors.
FEMA's Emergency Response Culture May Make Implementing New Processes
a Challenge, but Efforts to Improve Business Processes, including
within FIMA, Have Been Initiated:
Several FEMA officials and staff told us that the emergency response
culture within the agency could create resistance to implementing
formal business processes, many of which involve NFIP. For example,
several staff suggested that difficulties in following business
processes were in part linked to FEMA's emergency response culture--
that is, its commitment to responding to disasters rather than
strategically planning how its response could be improved by
implementing more efficient office systems, policies, and processes.
Further, agency officials told us that FEMA staff generally believed
that formal or bureaucratic processes could impede their progress.
Officials suggested that these cultural issues had led to both a
general unwillingness to follow business processes at the staff level
and limited commitment to planning and oversight at the management
level. One FEMA official said that while FEMA's culture was part of
the challenge, the agency had expanded after September 11 and has
doubled in size since the 2005 Gulf Coast Hurricanes without
commensurate adjustments in processes and systems. FEMA staff also
told us that because many of FEMA's processes were manual, FEMA's
culture had become dependent on people, with staff relying on personal
relationships to accomplish tasks.
However, FEMA's Mission Support Bureau told us it had begun a business
process improvement effort in early 2009 that involved mapping the
current processes, analyzing them, and determining what changes and
improvements were needed. FEMA officials stated that the business
process issues arose because FEMA expanded significantly after
September 11, 2011, and the agency added new processes to existing
ones without making necessary adjustments to ensure that the new
processes were efficient. For example, the process for staff who were
separating from the agency was mapped as having 117 steps and was
streamlined to 88 steps. The bureau also determined that personnel
actions for the regions were done differently than they were for FEMA
headquarters. Mission Support officials said that as of July 2010 they
had completed process maps and new internal control frameworks that
affect NFIP.
FEMA staff stated that Mission Support had completed several processes
in areas such as COTR appointment and reappointment, printing, Freedom
of Information Act requests for contract-related records, personnel
actions, access control to headquarters facilities, hiring and
separating for headquarters employees, workers compensation, annual
property inventory, and the 40-1 requisition process. A FEMA official
told us that staff had discovered numerous processes that either they
did not realize they had, were different than those previously
assessed, or were needed but did not exist. Mission Support staff said
they had also found many work-around processes and processes that were
poorly documented or duplicated at different places in the agency.
FEMA officials told us they had tentative plans to roll out the
initial changes to processes throughout relevant mission teams in
2011. In addition, FIMA officials told us they had plans to undertake
a separate effort to map seven other business processes, including
those for requisitions, hiring, congressional correspondence, and
salaries and benefits. Until these mapping processes are complete and
related internal control processes are developed, a risk exists that
certain functions will be inconsistently or incompletely carried out
and adversely affect FEMA's management of NFIP.
Acquisition Management Weaknesses Led to Cancellation of NFIP's System
Modernization Project and Offer Lessons for Future Modernization
Efforts:
An important example of weaknesses in NFIP's acquisition management
activities is the canceled development of the Next Generation Flood
Insurance Management System (NextGen). Despite investing roughly 7
years and $40 million, FEMA canceled this project in November 2009
because it failed to meet user expectations. As a result, NFIP must
now continue to rely on a 30-year old flood insurance management
system that does not fully support NFIP's mission needs and is costly
to maintain and operate. A number of acquisition management weaknesses
contributed to the project's failure and cancellation, and as FEMA
begins anew to modernize the existing legacy system, it plans to apply
lessons learned from its NextGen experience. As mentioned earlier in
this report, FEMA has already implemented some changes to its
acquisition management practices. However, whether these changes will
better enable FEMA to avoid the problems that derailed the development
and implementation of the NextGen system remains to be seen.
FEMA Canceled Its NextGen Project in November 2009 and Continues to
Rely on Outdated Existing System:
NFIP currently uses a flood insurance policy and claims processing
system that was developed 30 years ago. The system is designed to (1)
collect data to determine flood insurance premium rates for specific
properties, (2) collect data on claims made on properties that have
had flood-related damage, (3) track the progress of policies and
claims, and (4) prepare legislatively mandated reports for Congress.
According to FEMA officials, this system is neither efficient nor
effective and does not adequately support the program's mission needs.
For example:
* Staff must manually input data, potentially increasing the
possibility of data errors that can take as long as 6 months to
correct.
* The system provides limited access to data needed to manage the
program, including policy and claims data provided by WYO insurers,
which currently requires time-consuming and laborious steps to view
and change a given file.
* The system employs 1980s mainframe technology and uses programming
languages that were current in the 1960s but are not widely used
today. As a result, the system is costly and difficult to maintain.
* The system can enforce restrictions on policies or claims only at
the end of each processing cycle. As a result, the number of errors
that occur during policy or claim processing is higher than it would
be if such restrictions were enforced earlier. Correcting these errors
can add as much as 2 to 3 months to the processing cycle.
NFIP's attempts to modernize the existing system date back to at least
the mid-1990s, when NFIP tried to move the system's applications and
data onto a more modern hardware and software infrastructure. However,
this effort was not successful and was canceled in the late 1990s.
According to NFIP officials, the effort failed in part because system
users were not sufficiently involved in the design process and project
management capabilities were inadequate.
In 2002, NFIP awarded a contract for the development of the NextGen
system, which was to be deployed and operational by April 2007.
According to program plans, NextGen was to employ modern technology
and reengineered business processes to, among other things, improve
the accuracy and completeness of policy and claims data and provide 24-
hour-a-day transaction processing and customer service. To meet these
goals, five system applications were to be developed, all of which
were to be supported by a new centralized database.
1. Transaction Record Reporting Process (TRRP), which was to collect
data from the WYO insurers and flood insurance vendors on policies and
claims, conduct front-end balancing of financial data, perform checks
for errors in issued policies and processed claims, and develop
financial and statistical reports.[Footnote 53]
2. Simple and Quick Access Net (SQANet), which was to permit
standardized and customized reporting of NFIP data.
3. Flood Rating Engine Environment (FREE), which was to generate
online flood insurance rates and quotes.
4. Flood Financial Management (F2M), which was to provide an interface
for NFIP financial stakeholders (NFIP bureaus, WYO companies, and
vendors) to enter, update, submit, and process monthly financial data.
5. ezClaims, which was to provide an interface for authenticated
claimants to view, edit, and process disaster and claims data.
To deliver the system, the contractor adopted a spiral development
methodology, which involves the development of prototype applications
that are tested and assessed by users and refined accordingly. Between
2004 and 2007, the five NextGen system applications and the supporting
centralized database were prototyped, pilot tested, and modified. In
May 2008, a production version of NextGen was placed into operational
use. Shortly thereafter, however, users began reporting serious
problems with the system's performance, such as inaccurate
calculations and erroneous data. For example, the system showed no
claims received or processed for the entire state of Alaska, despite
the fact that the legacy system showed numerous claims.
Shortly thereafter, NFIP decided to revert to its legacy system, and
as a result was forced to extend this system's operations and
maintenance contract. At the same time, NFIP decided to conduct user
testing on NextGen in late 2008 and early 2009. During this testing,
system users identified additional problems, causing FEMA leadership
to establish an Executive Steering Committee to decide how best to
proceed. The committee included FEMA's Director for Acquisition
Management, Chief Information Officer (CIO), Assistant Administrator
for Mitigation, and other senior-level executives. To support the
steering committee, two assessments were performed: one by the DHS
Emergency Management Inspector General that focused on FIMA's
management and oversight of both the legacy system contractor and the
NextGen contractor; and one by OCIO that focused on what could be
salvaged from NextGen. In November 2009, based on interim results from
the assessments, FEMA leadership decided to cancel NextGen.
In June 2010, FEMA leadership transferred responsibility for
modernizing NFIP's legacy system to OCIO. According to the CIO, the
next attempt to modernize NFIP's legacy system will begin with a
determination of the "degree of fit" between the NextGen applications
and NFIP's business requirements. To meet this goal, OCIO intends to
first develop a clear understanding of NFIP's business requirements.
Next, it will test the NextGen software applications against these
requirements to determine what gaps exist. During this time, OCIO also
intends to establish a project office capable of managing the effort.
As of March 2011, OCIO has hired a new project executive and project
manager and is in the process of developing project management
documentation, such as a mission needs statement and capability
development plan.
NFIP will now have to rely on its legacy system for an unspecified
period of time. As a result, NFIP's ability to manage its flood
insurance operations will continue to be hampered by this system's
limitations. In addition, NFIP will have to continue to invest in the
operations and maintenance of this system, which between June 2009 and
June 2010 cost approximately $9.35 million to operate and maintain.
According to the FEMA Acting Assistant Administrator for Mitigation,
NFIP is currently in the process of negotiating a 2-year contract
extension for operating and maintaining the legacy system.
Acquisition Management Weaknesses Led to the Cancellation of NextGen:
Weaknesses in several key system acquisition areas led to NextGen's
failure and cancellation. Specifically, business and functional
requirements were not sufficiently defined; system users did not
actively participate in determining the requirements for the
development of system prototypes or in pilot testing activities; test
planning and project risks were not adequately managed; and project
management office staffing was limited. These weaknesses can, in turn,
be attributed in large part to a general lack of executive-level
oversight and attention to the project's status.
NextGen Requirements Were Not Well Defined:
Well-defined requirements are a cornerstone of effective system
acquisition. According to recognized guidance, documenting and
implementing a disciplined process for developing and defining
requirements can help reduce the risk of developing a system that does
not perform as intended and does not meet user needs.[Footnote 54]
Such a process includes, among other things, (1) establishing a
complete and unambiguous set of high-level requirements that can form
the basis for defining the more detailed requirements that guide
system development, and (2) involving users throughout the development
process. For NextGen, neither of these conditions were met.
According to industry practices, high-level system requirements become
the basis for the development of more detailed requirements that, in
turn, can be used to develop specific software. Without complete and
clear high-level requirements, sufficiently defining the more detailed
requirements will be unlikely, in turn creating the risk that the
resulting system will not meet users' needs. While NFIP did conduct
activities intended to elicit NextGen requirements, these
requirements--which NFIP refers to as "business requirements"--were
neither complete nor clear. Specifically, NFIP established five
working groups to review and refine business processes and provided
the NextGen system developer with NFIP operational manuals. These five
groups, which were associated with five business areas--claims,
marketing, financial management, underwriting, and information
technology--were each expected to produce a set of recommended
business requirements. However, FEMA officials described the groups'
efforts as largely based on oral communications, resulting in
misunderstandings and poorly documented requirements. For example, one
working group produced four different models of business processes,
all of which were provided to the system developer as a basis for
defining more detailed system requirements. According to the system
developer, reconciling differences in these models contributed to the
challenges in defining the requirements for NextGen.
NFIP also provided the system developer with its operational manuals
(e.g., flood insurance manuals, specific rating guidelines, and
transaction reporting process manuals).[Footnote 55] However, none of
these manuals were current and complete, according to NFIP officials.
For example, officials told us the manuals were constantly changing
and did not fully reflect actual flood insurance underwriting
practices. According to these officials, only the NFIP subject matter
experts had sufficient knowledge about the practices actually being
employed. However, the subject matter experts were not sufficiently
involved in defining business requirements. As a result of this
inadequate information, the system developer had to interpret the
business requirements, leading to the development of more detailed
requirements that were later found to be incomplete and inaccurate.
Specifically, an assessment done by FEMA's CIO found that NextGen's
business and functional requirements were not sufficiently complete or
decipherable and were otherwise not captured in accordance with
industry standards.[Footnote 56]
Further, users were not sufficiently involved in defining
requirements. Best practices for defining and managing system
requirements also include eliciting user needs and involving users
throughout the development process. Continued user involvement is
particularly essential to a project for which high-level operational
or business requirements have not been well defined, as was the case
with NextGen. Recognizing the limitations in the business
requirements, and consistent with practices associated with the spiral
development methodology employed on NextGen, the system developer
conducted a series of application prototyping and pilot testing
activities between 2004 and 2006. According to officials from both
FIMA and its contractor, these activities were intended to, among
other things, discover new system requirements and clarify existing
requirements by having groups of users interact with the system
developers on early versions of the applications.
However, according to FIMA and the contractor, key subject matter
experts did not participate in these prototyping and piloting efforts,
particularly in the area of NFIP's underwriting process. Instead, user
participation was largely confined to the WYO insurance companies and
flood insurance agents that participated in NFIP. To increase user
participation, NFIP established the NextGen Executive Decision Group
in January 2006. However, minutes of the group's meetings during 2006
and 2007 indicate that limited involvement of key NFIP internal users
continued to hinder efforts to define NextGen system requirements.
Moreover, the CIO assessment found that stakeholders were not
adequately engaged in efforts to develop requirements. In particular,
the assessment found that NFIP stakeholders' needs and concerns had
not been adequately solicited and their approval of and commitment to
requirements were not obtained.
NextGen Testing Was Not Effectively Managed:
Effective testing of a system like NextGen is essential to ensuring
that the system functions as intended and meets mission needs and user
expectations. As we have previously reported, an overarching test plan
or strategy is critical for effective system testing.[Footnote 57]
Among other things, this overall test management plan should:
* define the type and timing of the developmental and operational test
events and activities;
* allow for detailed test planning and execution and ensure that the
progress of the tests can be tracked and results reported and
addressed;
* define the roles and responsibilities of the various groups that are
responsible for the test events; and:
* provide a high-level schedule for planned events and activities.
[Footnote 58]
Without such a plan, a risk exists that system testing will occur in
an ad hoc and undisciplined fashion and that problems will not be
discovered until late in the system's development cycle, when they are
more difficult and costly to correct.
NFIP did not develop an overall NextGen test management plan or create
a high-level schedule of the testing activities that would be
performed. Instead, NFIP allowed its system development contractor to
determine which tests to perform and how and when they would take
place. According to the NextGen COTR, the types of testing events that
were actually performed by the contractor were application prototyping
and pilot tests between 2004 and 2006, followed by functional,
regression, and system usability testing in 2006 and 2007. NextGen
testing also included user testing conducted by NFIP in 2008 and 2009.
Individual Test Events Were Not Well Planned:
Along with an overarching plan, specific, well-defined test plans are
necessary if testing is to be effective. According to relevant
guidance, test plans should specify each of the following key
elements:[Footnote 59]
* Roles and responsibilities: Identifies individuals or groups that
are to perform each aspect of the specific test event, such as test
operators and witnesses, and the functions or activities they are to
perform.
* Environment and infrastructure: Identifies the physical facilities,
hardware, software, support tools, test data, personnel, and anything
else necessary to support the test event.
* Tested items and approach: Identifies the object of testing (such as
specific software or hardware attributes or interfaces) and describes
the method used to ensure each feature of these objects is tested in
sufficient detail.
* Traceability matrix: Consists of a list of the requirements that are
being tested and maps each requirement to its corresponding test
cases, and vice versa.
* Risk and mitigation strategies: Identifies issues that may adversely
affect successful completion of testing, the potential impact of each
issue, and contingency plans for mitigating or avoiding these issues.
* Testing schedule: Specifies milestones, duration of testing tasks,
and the period of use for each testing resource (e.g., facilities,
tools, and staff).
* Quality assurance procedures: Defines a process for ensuring the
quality of testing, including steps for recording anomalies or defects
that arise during testing and steps for making changes to approved
procedures.
Test plans were not developed or used for prototype and pilot testing
performed by the contractor between 2004 and 2006. According to the
NextGen COTR, formal system testing was not considered necessary
during prototyping and pilot efforts under the spiral system
development approach.[Footnote 60] While testing performed during such
efforts is understandably less formal, the absence of any test plan is
not consistent with relevant guidance. As we have previously reported,
system pilots should be guided by a documented test plan that
includes, for example, the type and source of data and the associated
analysis necessary to determine the success of the pilot test.
[Footnote 61]
The contractor did develop test plans for the functional, regression,
and usability testing of the NextGen applications that occurred in
2007 and 2008. Specifically, the contractor prepared, and the COTR
approved, test plans for each test event for each application.
However, none of these plans had all of the key elements of effective
test planning. In particular, while most of the plans addressed roles
and responsibilities, environment and infrastructure, test items and
approach, and quality assurance, only two included a testing schedule,
and none included a traceability matrix or the risks to be mitigated
(see table 1).
Table 1: Summary of NextGen Application Test Plans' Satisfaction of
Key Elements of Relevant Guidance:
Key NextGen applications: Flood Rating Engine Environment (FREE);
Roles and responsibilities: fulfilled;
Environment and infrastructure: fulfilled;
Tested items and approach: fulfilled;
Traceability matrix: not fulfilled;
Risk and mitigation strategies: not fulfilled;
Testing schedule: not fulfilled;
Quality assurance procedures: fulfilled.
Key NextGen applications: Flood Financial Management (F2M);
Roles and responsibilities: fulfilled;
Environment and infrastructure: fulfilled;
Tested items and approach: fulfilled;
Traceability matrix: not fulfilled;
Risk and mitigation strategies: not fulfilled;
Testing schedule: fulfilled;
Quality assurance procedures: fulfilled.
Key NextGen applications: Simple and Quick Access Net (SQAnet);
Roles and responsibilities: fulfilled;
Environment and infrastructure: fulfilled;
Tested items and approach: fulfilled;
Traceability matrix: not fulfilled;
Risk and mitigation strategies: not fulfilled;
Testing schedule: not fulfilled;
Quality assurance procedures: fulfilled.
Key NextGen applications: Transaction Record Reporting Process (TRRP);
Roles and responsibilities: fulfilled;
Environment and infrastructure: fulfilled;
Tested items and approach: fulfilled;
Traceability matrix: not fulfilled;
Risk and mitigation strategies: not fulfilled;
Testing schedule: fulfilled;
Quality assurance procedures: fulfilled.
Key NextGen applications: ezClaims;
Roles and responsibilities: fulfilled;
Environment and infrastructure: fulfilled;
Tested items and approach: fulfilled;
Traceability matrix: not fulfilled;
Risk and mitigation strategies: not fulfilled;
Testing schedule: not fulfilled;
Quality assurance procedures: fulfilled.
Source: GAO analysis based on agency provided data.
[End of table]
* Roles and responsibilities: All of the test plans addressed roles
and responsibilities for each application. Specifically, they
identified either individuals or groups of individuals, such as the
test lead or subject matter experts that were to perform specific
functions, such as reviewing test results, providing detailed test
findings, and allocating testing resources.
* Environment and infrastructure: All of the test plans addressed
environment and infrastructure. Specifically, they described the types
of environments, such as a lab or the pilot program environment, as
well as the hardware, software, and support tools needed for testing.
Further, test data and personnel were also identified in each plan.
* Tested Items and approach: Four out of the five test plans
identified the objects to be tested and described the methods used to
ensure that each feature of these objects was tested in sufficient
detail. For example, the FREE test plan included the test scripts,
test cases, and sample test result log that would be used to test the
application and record the results.
* Traceability matrix: None of the test plans listed the specific
requirements that were being tested or mapped those requirements to
the corresponding test cases. Rather, the test plans cited a single
overarching requirement. For example, the SQANet test plan cited the
requirement that NextGen provide NFIP reporting capabilities. However,
this requirement was not broken down into subordinate requirements or
mapped to corresponding test cases.
* Risk and mitigation strategies: None of the test plans identified
issues that might adversely affect successful completion of testing.
Although the TRRP test plan identified assumptions and constraints--
for example that the subject matter experts would be available to
provide documentation and rationale for identified discrepancies--the
plan did not identify any assumptions or constraints as risks or
provide plans for mitigating or avoiding their impacts.
* Testing schedule: Two of the five test plans (TRRP and F2M) included
a detailed testing schedule. For example, both test plans cited the
test name, tasks, timeframes, and durations (estimated number of
hours). The other test plans referred to the NextGen project
management plan and the project schedule for a testing schedule.
However, neither of these project-level documents contained detailed
information about these test events.
* Quality assurance procedures: All of the test plans included quality
assurance procedures. Specifically, the plans described a process,
including steps, for identifying and documenting issues or defects
that arise during testing and for making changes to approved
procedures. For example, the SQANet test plan defined a process for
identifying and documenting test anomalies that included explaining
each defect/issue found, capturing screenshots depicting the
defect/issue, describing the testing environment or special testing
method used to identify the defect/issue, and reviewing and resolving
the defect/issue.
According to the NextGen COTR, risk mitigation strategies were not
included in the test plans because they had already been addressed in
a risk list that the contractor developed and maintained, and test
schedules were not included because they were already in the NextGen
project management plan. However, the contractor did not effectively
implement the risk management activities, and as we have seen, the
NextGen project management plan did not include a schedule that
detailed specific test activities. The COTR also told us that
traceability matrices were not included because DHS did not require
them at the time the test plans were developed and executed. But
according to industry best practices, traceability matrices are
essential to helping ensure that the scope of test activities is
adequate.
In addition, no user acceptance test plans were developed for the user
testing that NFIP conducted in 2008. Instead, the program's branch
chiefs selected eight NFIP subject matter experts to separately and
individually test the system using system queries (test cases and
procedures) of their own choosing based on their respective knowledge.
In doing so, they were also told to compare their respective query
results with results of similar queries of the legacy system.
According to the NextGen COTR, user acceptance test plans were not
developed because the tests performed by the subject matter experts
were considered to be sufficiently specific and limited, focusing on
finding the few "glitches" remaining after the initial deployment. As
a result, user test plans were considered at the time to be
unnecessary. Without well-defined test plans, however, the
effectiveness of the testing performed could not be determined.
Problems Found During User Acceptance Testing Were Not Effectively
Managed:
Effective test management includes not only capturing, prioritizing,
tracking, and resolving any problems identified during testing, but
also disclosing to stakeholders when and how problems are resolved.
According to relevant guidance and best practices, this element of
test management should be governed by a defined process and should
ensure that those who are responsible for correcting the problems
understand the full scope of system problems and the status of their
resolution.[Footnote 62]
The problems identified during NFIP's user acceptance testing of
NextGen in 2008 were not governed by a defined and disciplined process
for capturing, prioritizing, tracking, and resolving these problems.
Specifically:
* The NextGen contractor was tasked with maintaining a list of
problems identified. However, users participating in the testing told
us they were not required to capture problems using a standard format
and that the NFIP project office did not centrally merge and transmit
the problems they identified to the contractor. Instead, these users
said they separately and individually communicated the problems they
each found either orally in meetings or via emails. However, NFIP
officials also told us the NextGen contractor did not attend all of
these meetings and the issues raised in these meetings were not always
documented or provided to the contractor. As a result, NFIP and
contractor officials agreed that the contractor's list of problems
requiring resolution was incomplete.
* The NextGen project office did not maintain its own centralized list
of problems requiring resolution. As a result, the project office did
not know the universe of problems requiring resolution and could not
track the status of each problem's resolution.
* Users participating in the system testing told us they were not told
whether the problems they had identified were ever resolved or when
and how resolution of those that were resolved took place. They said
that this lack of communication regarding the resolution of system
problems ultimately resulted in their rejection of the NextGen system.
Because of these weaknesses in how NFIP managed the resolution of
problems identified during user acceptance testing, the NextGen
project office was unable to demonstrate to the FEMA Acting Assistant
Administrator that NextGen met NFIP mission needs and user
requirements. This inability, in combination with the other
acquisition management weaknesses, contributed to NextGen's
cancellation.
FEMA Could Have More Effectively Managed NextGen Risks:
According to federal guidance, proactively managing project risks can
increase the chances of delivering promised system capabilities and
benefits on time and within budget.[Footnote 63] We have reported that
effective risk management, among other things, includes defining and
implementing a process that identifies, analyzes, and mitigates risks
and periodically examines the status of the identified risks and
mitigation steps.[Footnote 64] NFIP did not define and implement its
own risk management process for its NextGen acquisition but instead
delegated risk management to the NextGen system development
contractor. NFIP officials said they did not conduct their own risk
management activities because the NextGen project office was not
staffed to do so. They said they expected the contractor to manage all
project risks and believed they did not need to duplicate these
efforts.
The contractor did follow a process of identifying and analyzing risks
and developing plans for implementing them that involved actions on
the part of both NFIP and the contractor. However, not all of these
plans were effectively implemented, in some instances because NFIP did
not take the appropriate action, and in others because the contractor
did not receive devoted resources to implement the action.
In total, the contractor's risk management efforts identified 72 risks
over the life of the project, of which 47 (about 65 percent) remained
open at the time the project ended. Of these 47 open risks, 36 (about
77 percent) related to the contractor's inability to gain access to
NFIP staff or obtain information from NFIP staff or the legacy
contractor. Specifically, 11 risks, the first of which was identified
in July 2003, were associated with the lack of participation by NFIP
subject matter experts in the prototyping and piloting of system
applications. While FEMA established an executive-level decision group
in 2006 to address this category of risks, risk related to lack of
participation by subject matter experts continued to be identified and
remained open at the time the project was canceled.
Twenty-five risks were related to a lack of timely delivery of
information from NFIP to the development contractor. For example, NFIP
did not provide timely delivery of comments on deliverables and the
legacy system that NextGen was to replace. According to the
contractor's risk management documentation, these delays affected the
development and pilot testing of key applications and thus the entire
NextGen schedule. However, this documentation also shows that little
or no action was taken by NFIP to address the risks.
The NextGen project also faced risks beyond those identified by the
NextGen contractor. However, some of these risks were never captured
and mitigated because they were outside the contractor's control. For
example, documentation shows that NFIP officials were aware that
representatives from both the NFIP NextGen office and the legacy
contractor resisted NFIP's earlier attempt to move the NFIP system
onto a new platform. However, the risk that this resistance posed to
the new system was not included in the NextGen contractors' risk list,
and steps to mitigate this risk were not taken. Later in the
development of NextGen, this ongoing resistance was cited as having
impaired NFIP's ability to develop the NextGen system. Specifically,
the DHS Emergency Management IG reported that 14 NFIP staff in key
positions relative to approving NextGen favored the legacy contractor
and helped to promote a divisive atmosphere that limited NFIP's
ability to develop NextGen.[Footnote 65]
The NextGen Project Office Would Have Benefited from Additional Staff:
As we have previously reported, having sufficient project office staff
with the requisite capabilities is essential to effectively managing a
system acquisition like NextGen.[Footnote 66] Establishing such an
office requires, among other things, an assessment of the core
competencies and associated knowledge, skills, and abilities needed to
perform key project management functions. It also requires an
understanding of the knowledge, skills, and abilities of those
assigned to the project, so that any gaps can be identified and a plan
for filling those gaps can be developed and executed.
The NextGen project office was not adequately staffed, having only one
full-time government employee, the COTR, assigned from 2006 to the
project's cancellation. No project management staff were assigned to
perform such critical system acquisition management functions as
developing and managing system requirements, managing system testing,
and managing risk. Instead, NFIP relied almost exclusively on the
NextGen contractor to perform these and other project management
functions.
According to a FEMA official, the NextGen project office requested
additional staff in 2006, but the Acting Assistant Administrator for
Mitigation denied the request because of resource constraints.
Moreover, the request was for only one part-time person and was not
based on a project management human capital assessment, which
generally should include an analysis of needs and existing
capabilities, the associated gap, and a plan for addressing identified
gaps.
NextGen Needed More Effective Executive Oversight:
As we have previously reported, successfully acquiring IT systems
requires the oversight and informed decision making of a senior-level
investment review board.[Footnote 67] Among other things, such a board
is responsible for selecting among competing IT investments and
overseeing those investments throughout their respective life cycles
to help ensure that project cost, schedule, and performance
commitments are met, benefit expectations are realized, risks are
minimized, and project managers are held accountable for results. DHS
has recognized the need for such a system investment oversight body.
Specifically, DHS established a department-wide investment review
board in 2003. In November 2008, DHS revised its acquisition review
process to include updating this board, which became the ARB, as the
department's highest review body and charging it with reviewing and
approving all investments with life cycle costs above $300 million. In
addition, it established working groups and other boards, such as the
Enterprise Architecture Board and the Program Review Board, to provide
subject matter expertise to the ARB, and the Joint Requirements
Council to validate the results of the strategic requirements planning
process. Further, DHS required each of its component organizations,
including FEMA, to establish and operate review boards to oversee
their respective investments.[Footnote 68]
However, neither FEMA nor DHS provided effective executive-level
oversight of NextGen. Specifically, no FEMA review board or executive
office, such as the CIO and Chief Financial Officer (CFO), ever held
an oversight or milestone-decision review for NextGen. The DHS review
board's last oversight of NextGen occurred in 2007. At that time, the
ARB conditionally approved NextGen and delegated future oversight of
the project to FEMA. However, FEMA did not have a review board in
place at the time of the ARB's decision, having recently disbanded it
because the demands of Hurricane Katrina made attendance at board
meetings a low priority for members. The current FEMA CIO stated that
OCIO and OCFO had not been more involved in NextGen because FIMA was
not responsive to their requests for information about the project.
NFIP's Operating Environment and External Factors Complicate
Administration of the Program, and FEMA Lacks Authority in Areas
Critical to Its Long-term Financial Health:
NFIP's operating environment differs from that of traditional insurers
and limits FEMA's ability to keep the program financially sound. In
particular, NFIP assumes and retains all of the risks for the policies
it sells, is required to accept virtually all applicants for
insurance, and cannot deny coverage for potentially high-risk
properties. Moreover, additional external factors continue to
complicate the administration of NFIP and affect its financial
stability. These include lapses in NFIP's authorization, the role of
state and local governments, fluctuations in premium income, and
structural and organizational changes that have been made. Finally, as
noted in past GAO reports, NFIP also faces external challenges that
will continue to threaten the program's long-term financial health if
they are not addressed. These include statutory requirements that NFIP
charge subsidized premium rates for many properties, a lack of
authority to include long-term erosion in the flood maps used to
determine rates, and limitations on FEMA's ability to take action when
some owners of repetitive loss properties refuse to mitigate or accept
FEMA's mitigation offers.[Footnote 69]
NFIP's Operations Differ from Those of Private Insurers:
Any discussion of the challenges that FEMA faces in administering NFIP
must take into account important differences between the government's
flood insurance program and private insurers. For example, by design
NFIP does not operate like a private insurer but must instead meet a
public policy goal--to provide flood insurance in flood-prone areas to
property owners who otherwise would not be able to obtain it. At the
same time, it is expected to cover its claims losses and operating
expenses with the premiums it collects, much like private insurers. In
years when flooding has not been catastrophic, NFIP has generally
managed to meet these competing goals. But in years of catastrophic
flooding, such as 2005, it has not. During those years, it has
exercised its authority to borrow from Treasury to pay claims and, as
of April 2011, NFIP owed approximately $17.8 billion to Treasury,
mostly for the 2005 hurricane season. NFIP will likely not be able to
meet its interest payments in all years, causing the debt to grow in
certain years as FEMA may need to borrow to meet the interest payments
in some years and potential future flood losses in others. This
arrangement results in much of the financial risk of flooding being
transferred to the U.S. Treasury and ultimately the taxpayer.
Further, NFIP is also required to accept virtually all applications
for insurance and cannot deny coverage or increase premium rates based
on the frequency of losses. Private insurers, on the other hand, may
reject applicants or increase rates if they believe the risk of loss
is too high. As a result, NFIP is less able to offset the effects of
adverse selection--the phenomenon that those who are most likely to
purchase insurance are also the most likely to experience losses.
Adverse selection may also lead to a concentration of policyholders in
the riskiest areas. This problem is further compounded by the fact
that those at greatest risk are required to purchase insurance from
NFIP if they have a mortgage from a federally regulated or insured
lender.
Finally, by law, FEMA is prevented from raising rates on each flood
zone by more than 10 percent each year. While most states regulate
premium prices for private insurance companies for other lines of
insurance, they generally do not set limits on premium rate increases,
instead focusing on whether the projected losses and expenses justify
them.
A Variety of External Factors Complicate FEMA's Administration of NFIP:
As previously reported, FEMA also faces a number of external factors
that are not necessarily within its control but that also must be
considered when discussing the administration of the program. First,
FEMA relies on private insurers to sell and service policies and
adjust claims under the Write-Your-Own (WYO) Program, but multiple
lapses in program authorization in recent years have strained NFIP's
relationship with WYO insurers. In particular, NFIP's legal
authorization has lapsed multiple times since it expired in 2008,
leaving FEMA and WYO insurers unable to renew policies that expired
during these lapses. Recent reauthorizations of the program have been
for periods of time as short as 5 days. FIMA officials said these
lapses in reauthorization created a significant burden for WYO
insurers. For example, the insurers were forced to reallocate
resources to communicate with agents and customers about how program
lapses would affect them. In part for this reason, the largest WYO
insurer left the program, and NFIP is transitioning the 840,000
policies that the insurer had been selling and servicing to NFIP's
Direct Servicing Agent.[Footnote 70]
Second, like some other federal programs, FEMA relies on state and
local governments and communities to implement parts of the program,
which can limit the effectiveness of some of FEMA's efforts. For
example, communities enforce building codes and other floodplain
management regulations in an effort to reduce the flood risk that
insured structures face, but some communities may not have sufficient
resources to enforce existing regulations. FEMA also relies on
communities to administer grant funds that are intended to mitigate
high-risk properties.[Footnote 71] However certain types of
mitigation, such as relocation or demolition, might be met with
resistance by communities that rely on those properties for tax
revenues, such as coastal communities with significant development in
areas prone to flooding. Finally, communities and individuals have
sometimes mounted challenges to and resisted flood map revisions that
place homes in higher-risk flood zones and would thus raise premium
rates.
Third, the financial resources that NFIP uses to fund much of its
operations have fluctuated in recent years. NFIP divides the premiums
paid by policyholders into "mandatory" and "discretionary" dollars.
Most premium dollars are considered mandatory and are used to pay
flood claims and other budget items such as WYO fees and advertising.
The remaining premium dollars are allocated to discretionary uses and
are used to fund NFIP operations.[Footnote 72] FIMA staff have noted
that lower-than-expected policy fee income in recent years has forced
them to cut back on certain functions, including contract and WYO
oversight, field office management, and community outreach. For
example, FEMA officials said that in 2009 FEMA based NFIP's budget on
expectations that the program would collect $156 million in policy
fees, $107 million of which the President's budget required to be
spent on mapping. By the end of the fiscal year, NFIP had collected
only $144 million in policy fees, leaving NFIP with only $37 million,
instead of the expected $49 million, to pay salaries and other
operating expenses. NFIP received approval from Congress to redirect
$4.9 million in mandatory funds from the advertising budget into the
discretionary budget to pay for these expenses, and it compensated for
the remaining $7.1 million shortfall with spending cuts, largely from
staff attrition and a hiring freeze.
Finally, both FEMA and FIMA have faced many significant changes to
their organizational structures and responsibilities since 2001,
creating challenges in implementing consistent and effective business
processes. FEMA underwent several organizational changes in 2001 and
2002, but the most significant change occurred in 2003, when FEMA
transitioned from an independent agency to a component of the newly
created DHS. At that time, FEMA became part of DHS's Emergency
Preparedness and Response Directorate, and some of its functions were
moved to other organizations within DHS. In addition, functions that
had formerly been part of other agencies were incorporated into the
new Emergency Preparedness and Response organization. From 2003
through 2005, over $1.3 billion in new or significantly expanded
programs came into FEMA, while programs with funding of nearly $1.5
billion were transferred out. Although these changes nearly balance in
dollar terms and the number of employees remained the same, they
created considerable disruption to FEMA's operations and uncertainty
about the availability of resources. After the 2005 hurricanes and the
widespread perception that FEMA had failed to effectively meet its
mission, the agency faced changes that created further uncertainty and
affected employee morale. In 2007, PKEMRA expanded FEMA's mission by
integrating preparedness with protection, recovery, response, and
mitigation to address all hazards. FEMA was reorganized again in 2009
at the direction of a new FEMA Administrator. At the same time, FIMA
has also faced considerable organizational changes--both through the
overall FEMA reorganizations and additional reorganizations that
occurred with successive FIMA administrators, most significantly in
2006.[Footnote 73] Policies and processes are often specific to the
organizational and oversight structures that are in place when they
are created, and when those structures change, the policies and
processes may no longer be relevant or complete.
FEMA Lacks Authority in Areas Critical to Its Long-term Financial
Health:
FEMA Lacks Authority to Charge Full-Risk Rates on Many Properties and
Is under Pressure to Allow Grandfathered Rates on Others:
As we have pointed out in previous reports, FEMA is required by law to
charge many policyholders less than full-risk rates, otherwise known
as subsidized rates.[Footnote 74] These rates are intended to
encourage property owners to purchase flood insurance, and today
nearly one out of four NFIP policies are based on a subsidized rate.
These rates allow policyholders with structures that were built before
floodplain management regulations were established in their
communities to pay premiums that represent about 40 percent to 45
percent of the actual risk premium. Moreover, FEMA estimates that
properties covered by policies with subsidized rates experience as
much as five times more flood damage than compliant new structures
that are charged full-risk rates. One difficulty in analyzing the
effect of subsidized premium rates is that, while they affect the
overall financial stability of NFIP and can potentially increase
borrowing from the Treasury, the subsidy is not recognized in FEMA's
budget. As we have reported in the past, the cost of federal insurance
programs is often not accurately reflected in agencies' budgets.
[Footnote 75] As a result, Congress may not have adequate information
about the potential claims on the federal budget when it establishes
or reviews federal insurance programs. This lack of information may be
especially problematic in the case of NFIP because of the continued
growth in the subsidy. As we have pointed out, the number of policies
receiving subsidized rates has grown steadily in recent years, and
without changes to the program, will likely continue to grow,
increasing the potential for future NFIP operating deficits.[Footnote
76]
In addition, NFIP may "grandfather" properties when new flood maps
place them in higher-risk zones. Unlike private insurers that charge
risk-based rates, FEMA made a policy decision to allow certain
properties remapped into riskier flood zones to keep their previous
lower rates. While FEMA is not statutorily required to grandfather
these policies, FEMA officials told us that they made the decision
because of resistance to rate increases and based on considerations of
equity, ease of administration, and goals of promoting floodplain
management. However, homeowners who are remapped into high-risk areas
and do not currently have flood insurance may be required to purchase
it at the full-risk rate. Further, FEMA recently introduced a new
rating option called the Preferred Risk Policy (PRP) Eligibility
Extension that is, in effect, a temporary grandfathering of premium
rates.[Footnote 77] While PRPs traditionally would have to be
converted to more expensive standard-rated policies when they were
renewed, FEMA extended PRP eligibility to 2 years after a new flood
map's effective date or January 1, 2011, whichever is later. FEMA made
the decision to offer these lower rates in response to significant
community resistance to remapping and the resulting increased rates as
well as concern expressed by Congress. As we have reported, to the
extent that NFIP charges less than full-risk rates on many properties,
it adds to the risk that the program will need to borrow from Treasury
to pay claims.
FEMA Is Not Authorized to Account for Long-term Erosion in Developing
Flood Maps:
While FEMA is in the process of updating the flood maps used to set
premium rates for NFIP, it is not authorized to account for long-term
erosion in developing these maps.[Footnote 78] The purpose of these
maps is to accurately estimate the likelihood of flooding in specific
areas given certain characteristics including elevation and
topography. Despite these modernization efforts, some maps can quickly
become inaccurate because of changes from long-term erosion,
particularly in coastal areas. However, FEMA is not authorized to map
for these changes--that is, it is not allowed to take into account
situations in which long-term erosion might increase the risk of
flooding in certain areas. Not accurately reflecting the actual risk
of flooding increases the likelihood that even full-risk premiums will
not cover future losses and adds to concerns about NFIP's financial
stability.
FEMA Is Limited in Its Ability to Encourage Property Owners to
Undertake Mitigation Efforts:
In reforming NFIP in 2004, Congress noted that repetitive loss
properties--generally, those that FEMA defines as having had two or
more flood insurance claims payments of $1,000 or more over 10 years--
constituted a significant drain on NFIP resources.[Footnote 79] While
Congress has made efforts to address this issue through mitigation
activities, repetitive loss properties continue to be a drain on NFIP.
Many of these properties are part of the subsidized property
inventory, and thus receive subsidized rates, further contributing to
NFIP's financial instability. This situation exposes the federal
government and ultimately taxpayers to greater risks and is not
consistent with several of the public policy goals (e.g., limiting
exposure to the federal government and the taxpayer) that we have
previously identified for disaster programs.[Footnote 80] As
previously reported, FEMA will offer premium discounts for efforts to
mitigate high-risk structures including raising the elevation of,
relocating, or demolishing a property, but these efforts are for the
most part voluntary.[Footnote 81] FEMA does have some authority to
raise premium rates for property owners who refuse mitigation offers
made by local authorities, such as an offer to elevate the property,
in connection with the severe repetitive loss pilot program.
Specifically, if a property owner refuses a mitigation offer, FEMA can
increase premiums to up to 150 percent of their current amount and by
a similar amount later on if the property owner is paid a claim of
greater than $1,500. However, FEMA is prohibited from charging more
than the current full rate and as a result cannot increase premiums on
property owners are paying the full rate but who refuse a mitigation
offer. In addition, FEMA is not allowed to discontinue coverage for
those who refuse mitigation offers. As a result, FEMA has some
limitations on its ability to compel owners of properties with
repetitive losses to undertake flood mitigation efforts. Further,
while Congress has made efforts to reduce the number of repetitive
loss properties, their number has grown, making them an ongoing
challenge to NFIP's financial stability. Specifically, these
properties account for about 1 percent of all policies but are
estimated to account for up to 30 percent of all NFIP losses. Unless
FEMA is able to effectively encourage owners of severe repetitive loss
properties to undertake mitigation efforts, the potential losses
associated with such properties continues to threaten the financial
stability of the NFIP.
Recognizing that NFIP faces a variety of structural challenges that
need to be reformed, FIMA began a three-phase effort to develop
recommendations to reform the program by addressing some of the
program's external challenges. The process began with a listening
session in November 2009 to capture concerns and recommendations from
about 200 stakeholder participants and to better understand the need
for NFIP reform. The second phase included adopting a policy analysis
framework, analyzing existing stakeholder input, developing and
agreeing on guiding principles to direct the NFIP reform effort, and
creating evaluation criteria to be used in scoring each of the
proposed policy alternatives. The final phase, which began in June
2010 and includes evaluating the policy alternatives, will result in a
reform proposal package that FIMA will submit to FEMA leadership. To
inform this phase, FIMA conducted two additional stakeholder meetings
in December 2010. This process may provide some helpful ideas to
address some of the major challenges facing FEMA in its administration
of NFIP. But as we have noted in earlier reports, comprehensive
legislative reform will be needed to stabilize its financial condition.
Conclusions:
While FEMA has begun to take steps to address its issues, it faces
significant management challenges in areas that affect NFIP, including
strategic planning, human capital planning, collaboration among
offices, records management, financial management, acquisition
management, and business processes. Effectively addressing these
challenges would require program improvements at all levels within
FIMA, FEMA, and DHS and would not only help improve the administration
of NFIP but also help to more effectively deal with financial and
operational challenges that NFIP faces--challenges over which FEMA
often has limited direct control. While FEMA has not yet addressed
many of these issues, in part because of the demands of its key
mission of responding to emergencies, it is beginning to take certain
steps to address its challenges. While some efforts are under way,
FEMA has much work ahead of it in beginning to plan and execute the
day-to-day activities necessary to effectively manage both the agency
and NFIP and to ensure effective collaboration between program and
support offices. As we have seen, for example:
* FEMA has not provided FIMA with strategic direction and guidance for
administering NFIP, and FIMA has not developed a comprehensive
strategy with goals and objectives for the program. GPRA states that
strategic plans should include such guidance and strategies for major
programs like NFIP. Without this direction, NFIP lacks a strategic
focus, and the agency is limited in its ability to develop effective
performance measures to measure NFIP's progress. Without a robust set
of performance measures and an established process for management to
regularly review them, the agency cannot monitor and hold accountable
management and staff involved in the program.
* FEMA lacks a strategic human capital plan (as required by PKEMRA)
that addresses the critical competencies required for its workforce.
Such a plan is critical for FEMA because of its heavy reliance on
contractors. Without such a plan, FEMA is limited in its ability to
assess its staffing and workforce needs, manage turnover, fill
vacancies, and oversee its contractor workforce.
* FEMA lacks a plan to ensure that agency operations are maintained
when federal disasters are declared and staff are deployed to respond.
Without such a plan, FEMA faces the risk that some critical day-to-day
functions may not be performed while staff are deployed, limiting the
agency's ability to provide the necessary support for disaster relief
missions.
* FIMA relies on Mission Support for a variety of mission-critical
functions, including IT, acquisition, and financial management, but
FIMA and Mission Support have faced challenges in collaborating with
one another. For example, FIMA and OCFO have had limited communication
regarding FIMA's budget formulation needs. Without better
collaboration and communication between FIMA and Mission Support's
various offices, FEMA will be unable to fully ensure that NFIP's IT,
acquisition, and financial and budgetary needs are being met.
Further, FEMA still lacks comprehensive systems, policies, and
processes that would help ensure sound records, financial, and
acquisition management as they relate to NFIP. In particular:
* FEMA has no centralized electronic document management system that
would allow its various offices to easily access and store documents.
As a result, the offices have faced problems with lost or destroyed
documents, decreased productivity, and duplicated effort. While there
is broad consensus for the need for a centralized electronic document
management system, FEMA is currently awaiting an overall DHS decision
on a system to be used for this process. However, until such a system
is provided, FEMA will continue to face document management challenges
that impede program effectiveness.
* In previous audits, KPMG found weaknesses within FEMA's management
of unliquidated obligations. The agency has issued an interim
directive for addressing the issue, but FIMA staff said they did not
know the amount of these obligations and the extent to which they have
been inactive. Until FEMA reviews FIMA's unliquidated obligations,
FIMA may be foregoing funds that could otherwise be returned and used
for other program needs.
* Recognizing a number of weaknesses in its oversight and management
of acquisitions, FEMA has taken steps to improve these functions,
including drafting an acquisition directive and a handbook explaining
how to implement it. However, most of these actions have either been
recently implemented or are still under development. While they are
the kinds of steps that need to be taken, the extent to which they
will ensure effective oversight of FEMA's acquisition activities
remains to be seen.
* FEMA Mission Support staff told us that in early 2009 they began a
business process improvement effort that involved mapping current
processes, analyzing them, and determining how they could be improved.
Until this mapping process is complete and related internal control
processes are developed, a high risk exists that certain functions
will be inconsistently or incompletely carried out.
In addition, FEMA has spent about 7 years and $40 million in its
latest attempt to modernize NFIP's insurance policy and claims
management system. FEMA ultimately canceled the effort in November
2009 because it failed to meet user expectations, forcing the agency
to continue relying on an outdated system that is neither effective
nor efficient. Any further attempts to modernize the program's
existing system must recognize the root causes of NextGen's failure,
which include:
* FEMA's and DHS's failure to provide sufficient oversight of the
project and to allow these acquisition weaknesses to go unchecked for
years. Without sufficient management oversight, FEMA will be limited
in its ability to ensure that future modernization attempts are
completed efficiently and effectively.
* Weaknesses in several key system acquisition areas that led to
NextGen's cancellation, including poorly defined and managed
requirements, poorly planned and executed system testing,
insufficiently mitigated program risks, and an inadequately staffed
program office. Unless FEMA learns from these mistakes, future
modernization attempts could face the same fate.
In addition to management challenges, FEMA still faces challenges
related to its financial operations and rate structure. The hurricanes
of 2005 required a massive response from FEMA as it worked to help
thousands of individuals recover from sometimes devastating damage to
their property. The scope of the damages and total claims paid, which
were unparalleled in NFIP's history, highlighted challenges with the
program's financial structure. These challenges, along with the debt
incurred by NFIP as a result of the 2005 hurricanes, remain today.
As we have indicated in previous reports, FEMA can take some actions
to improve NFIP's financial stability, such as ensuring that NFIP's
full-risk premium rates accurately reflect the risk of loss and
ensuring that WYO insurers justify and document their claims for
payment. However, fully addressing other challenges to the long-term
financial stability of the program will require congressional action.
For example, as we have pointed out, congressional action to allow
NFIP to charge full-risk premium rates to all property owners would
decrease the potential for future NFIP operating losses. Authorizing
the inclusion of long-term erosion in future rate maps and providing
FEMA with the authority to require owners of repetitive loss
properties to mitigate or impose penalties for not doing so would also
reduce the risks of future NFIP losses. We recognize that these
potential changes involve tradeoffs. Increasing premium rates and
requiring homeowners to mitigate flood-prone properties could, for
example, reduce participation and create hardship for some property
owners. Nevertheless, until these and related issues are resolved, the
program will continue to present a significant financial risk to the
government and taxpayers.
Recommendations for Executive Action:
To improve strategic planning, performance management, and program
oversight within and related to NFIP, we recommend that the Secretary
of DHS direct the FEMA Administrator to take the following four
actions:
* Provide strategic direction and guidance to the process for
developing a comprehensive strategy for FIMA operations; establish a
firm timeframe for and complete the development of this strategy; and
take steps to ensure that this strategy has appropriate performance
goals and measures to track NFIP's progress.
* Develop a comprehensive workforce plan according to PKEMRA that
identifies agency staffing and skills requirements, addresses turnover
and staff vacancies, and analyzes FEMA's use of contractors.
* Direct the FEMA Administrator to develop guidance for continuing
operations when staff are deployed to respond to federal disasters and
direct FIMA Acting Assistant Administrator to develop such a plan.
* Direct the FIMA Acting Assistant Administrator and the FEMA Mission
Support Associate Administrator to develop protocols to encourage and
monitor collaboration between FIMA and relevant support offices,
including those for information technology, acquisition management,
and financial management.
To improve FEMA's policies, procedures, and systems for achieving
NFIP's program goals, we recommend that the Secretary of DHS direct
the FEMA Administrator to take the following four actions:
* While waiting for DHS to implement an agencywide electronic document
management system, consider the costs and benefits of implementing an
interim system for FEMA and updating its document management policies
and procedures.
* Ensure that FEMA regularly reviews unliquidated obligations within
NFIP-related funds.
* Establish timelines for and complete the development and
implementation of FEMA's revised acquisition process, in line with the
DHS Acquisition Directive 102-01, including a rollout process with
staff training and a mechanism to better ensure that all acquisitions
undergo the necessary reviews.
* Ensure that FEMA Mission Support's business process improvement
efforts are expeditiously completed.
To improve the usefulness and reliability of NFIP's flood insurance
policy and claims processing system, we recommend that the Secretary
of DHS take the following two actions:
* Direct the DHS Deputy Secretary, as the Chair of DHS's ARB, to
provide regular oversight of FEMA's next attempt to modernize this
system.
* Direct the FEMA Administrator to ensure that FEMA's CIO applies
lessons learned from the NextGen experience to the next modernization
attempt. At a minimum, this effort should ensure that (1) all levels
of system requirements are complete and clear and that key
stakeholders are adequately involved in requirements development and
management, (2) key test events are effectively planned and executed
and problems identified during testing effectively managed, (3)
project risks are proactively identified and mitigated, and (4)
project office staffing needs are properly assessed and met.
Matters for Congressional Consideration:
As Congress considers NFIP reforms and reauthorization, it should
consider ways to better ensure the long-term financial stability of
the program, such as 1) allowing NFIP to charge full-risk premium
rates to all property owners and providing assistance to some
categories of owners to pay those premiums; 2) authorizing NFIP to
account for long-term flood erosion in its flood maps; and 3)
clarifying and expanding FEMA's ability to increase premiums or
discontinue coverage for owners of repetitive loss properties who do
not mitigate their properties or refuse FEMA's mitigation offers.
Agency Comments and Our Evaluation:
We provided the Secretary of Homeland Security with a draft of this
report for review and comment. DHS provided written comments that we
summarize below. DHS's letter is reproduced in Appendix II. FEMA also
provided us with technical comments, which we have incorporated as
appropriate.
DHS concurred with all of our 10 recommendations and identified
actions taken or plans made to implement them. Specifically, DHS
agreed with our recommendations to:
* Provide strategic direction and guidance to the process for
developing a comprehensive strategy for FIMA operations; establish a
firm timeframe for and complete the development of this strategy; and
take steps to ensure that this strategy has appropriate performance
goals and measures to track NFIP's progress. DHS stated that FEMA had
recently released its strategic plan for fiscal years 2011-2014 and
had begun requiring its directorates and offices to submit annual
operating plans with goals, measures to track the goals, and links to
FEMA's plan. However, until such a plan and accompanying performance
measures are complete and fully implemented, whether such a plan will
provide the necessary strategic framework for managing NFIP remains to
be seen.
* Develop a comprehensive workforce plan according to PKEMRA. DHS
noted that FEMA had obtained a contractor to conduct a workforce
assessment and had completed Phase I of the process. However, when the
entire workforce plan will be completed given the challenges FEMA
faces in identifying the number and categories of FEMA staff positions
and contractors as cited in the Phase I study is unclear.[Footnote 82]
In addition, as we cited in the report, the Strategic Human Capital
Plan that FEMA developed in response to PKEMRA did not fulfill the
requirements of the mandate. These requirements include:
- specific goals and objectives for recruiting and retaining
employees, such as recruitment and retention bonuses;
- specific strategies and program objectives to develop, train,
deploy, compensate, motivate, and retain employees;
- specific strategies for recruiting staff with experience serving in
multiple state agencies responsible for emergency management; and:
- specific strategies to develop, train, and rapidly deploy a Surge
Capacity Force.
* Develop a plan for continuing NFIP operations when staff are
deployed to respond to federal disasters. DHS stated that it agreed to
provide guidance to FEMA and its components for developing such a
plan, however it does not identify time frames for providing such
guidance.
* Develop protocols for collaboration between program and support
offices. DHS noted that Mission Support had begun some such efforts,
including holding listening sessions and responding to problems that
surface.
* Consider the costs and benefits of implementing an interim
electronic records management system while awaiting an overall DHS
system and update its document management policies and procedures to
ensure records are being adequately managed. DHS indicated that they
have been providing interim policies and guidance to program offices;
however, the policies and procedures they provided us during our
review had not been updated.
* Have FEMA regularly review unliquidated obligations within NFIP-
related funds. DHS stated that FEMA had published an interim directive
in 2009 that applied to open FEMA obligations including those within
FIMA. While this directive provides useful criteria, our
recommendation is that FEMA follow this guidance and better ensure
that regular reviews are completed.
* Establish timelines for and complete the development of FEMA's
revised acquisition process. DHS listed a number of ongoing efforts in
this area including training, certification, and recruitment, among
others. While we are encouraged by the steps taken, establishing
timelines and completing these efforts are critical to establishing a
well functioning contract and acquisition management program.
* Ensure that Mission Support's business process reengineering plans
are expeditiously completed. DHS stated that Mission Support had begun
the process of incorporating lessons learned into its day-to-day
operations. However, we recommend that the plans be fully and
expeditiously implemented, given their importance to helping FEMA's
improve its overall procedures.
Finally, DHS concurred with our last two recommendations for improving
NFIP's flood insurance policy and claims processing system.
Specifically, DHS stated it was preparing to elevate NFIP's status and
ensure that the program was designated for regular oversight by DHS's
ARB. DHS restated its commitment to ensuring that FEMA applies lessons
learned from the NextGen experience to its efforts to replace its
current system.
We are providing copies to the Chairman and Ranking Member, Senate
Committee on Banking, Housing and Urban Affairs, the Chairman and
Ranking Member, House Committee on Financial Services, and other
interested committees. We are also sending a copy of this report to
the Secretary of Homeland Security and other interested parties. In
addition, the report will available at no charge on our Web site at
[hyperlink, http://www.gao.gov].
If you or your staff have any questions regarding this report, please
contact me at (202) 512-8678 or williamso@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. GAO staff who made major
contributions to this report are listed in appendix III.
Signed by:
Orice Williams Brown:
Managing Director, Financial Markets and Community Investment:
[End of section]
Appendix I: Objective, Scope, and Methodology:
Significant management challenges affect the Federal Emergency
Management Agency's (FEMA) ability to administer the National Flood
Insurance Program (NFIP). GAO undertook this current review to
identify root causes of these deficiencies and to clarify how to
address them. Our objectives were to (1) analyze the extent to which
FEMA's key management practices--including strategic planning, human
capital planning, records management, financial management,
acquisition management, and intra-agency collaboration--affect the
agency's ability to administer NFIP; (2) identify lessons to be
learned from the Next Generation Flood Insurance Management System
(NextGen) program's cancellation, including to what extent key
acquisition management processes were followed on NextGen; and (3)
describe factors that are relevant to NFIP operations and analyze
limitations on FEMA's authority that could affect its financial
stability.
To determine the extent to which FEMA's management practices affected
its ability to meet its program goals as well as congressional goals
for NFIP, we collected available data from FEMA and conducted over 80
interviews with representatives from FEMA's Federal Insurance and
Mitigation Administration (FIMA), Office of Policy and Programs
Analysis (OPPA), and the Mission Support Bureau's offices for
administration, finance, human capital, information, and procurement.
We also interviewed representatives of the Department of Homeland
Security's (DHS) Office of the Inspector General (OIG), the National
Association of Public Administration (NAPA), and KPMG LLP. In
addition, we analyzed FEMA planning documents, policies, directives,
materials, and data related to key aspects of program management:
strategic planning, human capital planning, records management,
acquisition management, and financial management. Due to the nature of
the audit work in these areas, we conducted a data reliability
assessment in the areas of human capital and financial management.
Both were found to be sufficiently reliable for the purposes of our
report. Further, we reviewed relevant legislation, internal control
standards, best practices, and external studies of FEMA's management
challenges. More specifically:
* Strategic planning: To assess FEMA's strategic plans and performance
measures, we obtained and analyzed materials and documents including
FEMA's 2008 strategic plan and FIMA performance measures. We assessed
these documents against our past reports on the Government Performance
and Results Act of 1993 (GPRA) and the Standards for Internal Controls
in the Federal Government.[Footnote 83] To further understand the
strategic planning process and assessment of performance measures, we
met with key FIMA and OPPA officials to discuss FEMA's and FIMA's past
and future strategic planning efforts.
* Human capital: To assess FEMA's workforce planning efforts, we
reviewed the 2008-2012 Strategic Human Capital Plan and compared it
with the requirements in the Post-Katrina Emergency Management Reform
Act of 2006. We also evaluated FEMA's efforts based on guidelines on
workforce planning from the National Aeronautics and Space
Administration, our past reports on key principles for workforce
planning, and written responses provided by FEMA's human capital
office to questions we submitted. In addition, we analyzed the
Consolidated Appropriations Act of 2010 to assess its contractor
tracking requirements for December 2010. To determine turnover in key
positions, we interviewed key FEMA staff regarding turnover in their
departments and obtained and analyzed attrition data from the human
capital office. To assess challenges in hiring, we reviewed
documentation and interviewed human capital and other FEMA staff. In
order to understand the information technology (IT) issues that the
human capital office faces, we interviewed key human capital staff and
analyzed reports and documents by the DHS OIG and NAPA. We also
reviewed standards for continuity of operations plans and past GAO
reports on business continuity plans.
* Collaboration: To assess FEMA's efforts to encourage coordination
between FIMA and the Mission Support offices, we compared the
practices of these two offices to key practices that we identified in
previous work for enhancing and sustaining a collaborative
relationship among federal agencies.[Footnote 84]
* Records management: To assess FEMA's records management efforts, we
reviewed the National Archives and Records Administration standards,
the Federal Records Act, the Paperwork Reduction Act, and the
Standards for Internal Controls in the Federal Government. We reviewed
FEMA and FIMA records management procedural documents, training
materials, FEMA's previous records management policy, DHS's records
management policy, and DHS OIG reports. We met with the Office of the
Chief Administrative Officer, staff from the Records Management
Division, and other relevant FEMA staff to further understand records
management efforts.
* Financial management: To assess FEMA's financial management
processes for NFIP, we reviewed policy documents, training materials,
reference materials, spreadsheets used in budget formulation, data
information on past audits, and data on unliquidated obligations and
compared them to findings in past KPMG LLC audits, DHS OIG reports,
and our past reports on FEMA's financial management. We interviewed
relevant staff from FIMA's and FEMA's financial offices to further
understand financial management processes and efforts.
* Acquisition: In order to assess FEMA's acquisition efforts, we
obtained and analyzed FEMA's guidance for acquisition management and
contractor oversight and compared them to the Federal Acquisition
Regulation and to findings in the DHS OIG reports and our previous
reports related to FEMA's acquisition efforts. We interviewed FEMA's
Chief Procurement Officer and other relevant FEMA staff to assess
acquisition efforts. We also attended contractor oversight meetings to
better understand day-to-day contractor oversight activities.
In addition, we worked at a FEMA audit site in its Arlington,
Virginia, offices from January to April 2010. During that time, we
held meetings with FIMA staff, obtained relevant documents, and
attended day-to-day operational and contractor oversight review
sessions. In order to gather additional information about NFIP reform
efforts, we attended the NFIP Listening Session in November 2009 and
the NFIP Reform Public Meeting in December 2010, both of which were
held in Washington, D.C.
To determine the extent to which the NextGen program's acquisition was
effectively managed and overseen, we focused on the following
acquisition management areas: (1) requirements development and
management, (2) test management, (3) risk management, (4) human
capital planning, and (5) program oversight. In doing so, we analyzed
a range of program documentation, such as requirements documentation,
test plans and reports, risk documentation, program management plan,
and related documentation, and interviewed relevant program and
contractor officials.
* To determine the extent to which the program had effectively
implemented requirements development and management, we reviewed
relevant program documentation, such as the concept of operations
document, NFIP operational manuals, requirements and design documents
on NextGen applications, joint working group recommendation reports,
change request forms, and the program management plan, and evaluated
them against relevant guidance. Moreover, we reviewed briefing slides
and meeting minutes from the NextGen Executive Decision Group. In
addition, we interviewed program and development contractor officials
to discuss the requirements development and management process.
* To determine the extent to which the program effectively implemented
test management activities we reviewed test plans for functional,
regression, and usability testing and NextGen application summary test
reports and compared them with best practices to determine whether
test activities had been adequately documented and implemented. In
addition, we interviewed program and contractor officials to discuss
the test management process.
* To determine the extent to which NextGen risks were effectively
managed, we reviewed the most current NextGen risk management plan,
risk lists, and monthly program status report. We also interviewed
program and development contractor officials to discuss the risk
management process.
* To evaluate whether FEMA was adequately providing for the NextGen
program office's human capital needs, we compared the program's
efforts against relevant guidance. We also interviewed key officials
to discuss workforce analysis and human capital planning efforts.
* To determine the level of oversight given over NextGen we reviewed
DHS's acquisition directive and guidebook and met with officials
responsible for NextGen executive-level oversight to determine if
oversight was effectively provided.
To identify external factors that affected NFIP's ability to carry out
its mission, we reviewed previous GAO reports that analyzed various
aspects of NFIP's policies, practices, and organizational structure,
identifying factors that affected NFIP's operations but over which
NFIP did not have control. For example, we reviewed our reports on the
oversight of the Write-Your-Own program, the financial impact of
subsidized premium rates, and the rate-setting process for flood
insurance premiums. To determine whether and to what extent the
factors identified in these reports were still affecting NFIP's
operations and to identify any additional factors, we interviewed FEMA
representatives and reviewed relevant testimony of officials from FEMA
and several interested associations before Congress.
We conducted this performance audit from July 2009 to June 2011 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
May 6, 2011:
Orice Williams Brown:
Managing Director:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Re: Draft Report GA0-11-297, "FEMA: Action Needed to Improve
Administration of the National Flood Insurance Program"
Dear Ms. Brown:
Thank you for the opportunity to review and comment on this draft
report. The U.S. Department of Homeland Security (DHS) and the Federal
Emergency Management Agency (FEMA) appreciate the U.S. Government
Accountability Office's (GAO's) work in planning and conducting its
review and issuing this report.
GAO has conducted more than 20 audits of the National Flood Insurance
Program (NFIP) in recent years. These audits have focused on the
actuarial soundness of the program, as well as FEMA's management of
the insurance business operations. FEMA is currently working with
GAO to resolve open recommendations from previous reports and has
undertaken a process to develop a set of reform proposals that will
help resolve actuarial issues in the program. FEMA has also identified
many of the same issues as GAO in the findings of this report and has
implemented actions already underway that will address some of the
recommendations made in this report.
The report contained six recommendations. As discussed below, DHS
concurs with all the recommendations. Specifically, to improve
strategic planning, performance management, and program oversight
within and related to NFIP, GAO recommended that the Secretary of DHS
direct the FEMA Administrator to:
Recommendation #1: Provide strategic direction and guidance to the
process for developing a comprehensive strategy for FIMA operations;
establish a firm timeframe for and complete the development of this
strategy; and take steps to ensure that this strategy has appropriate
performance goals and measures to track NFIP's progress.
Response: Concur in principle. DHS believes it already has underway
activities that will address the issues identified. FEMA has recently
released its new Strategic Plan for FYs 2011”2014 that clearly lays
out the Administrator's four strategic initiatives for the Agency to
accomplish over the next 3 years. NFIP and the objectives for the
program align with Initiative 1: Foster a Whole Community Approach to
Emergency Management Nationally. FEMA's strategic plan comports with
the spirit of the Government Performance and Results Act Modernization
Act of 2010. "Initiative" describes what the Act refers to as "Goals,"
but the essential elements are there ” goals, objectives, and desired
outcomes.
Further, FEMA has been working since last summer in support of FEMA's
Strategic Plan 2011-2014, and consistent with the Agency's capstone
doctrine, FEMA Publication 1 (Pub 1), to develop FEMA's Strategic Plan
for Mitigation and Insurance, FY2012-2014. The development of this
plan to-date has been a very collaborative process. The Plan will
provide a strategic framework to enhance the way FEMA carries out its
mitigation and insurance mission. It will act as a guiding document to
more fully integrate mitigation and insurance programs and philosophy
across the Agency; and to build and sustain collaboration with other
Federal agencies; State, tribal, and local governments; communities;
civic and faith-based organizations; and the public. It is meant to
create a road map for success and also demonstrate what success looks
like in order to engage and encourage staff, stakeholders, and the
public in this mission.
FEMA initiated the requirement for each directorate and office to
submit annual operating plans that lay out the organization's key
goals to accomplish in the upcoming year, how these goals link to the
2011 ” 2014 strategic plan, and the measures used to track the
progress in achieving these goals and measure the outcomes. This
requirement began in October 2010 for FY 2011. FEMA also initiated a
new program to hold senior leaders accountable for their programs called
FEMAStat. This program was initiated in January 2011, and to date six
programs have been reviewed. FEMAStat is based on the COMPSTAT model
first developed in New York City for the police department. FEMAStat
looks to ensure strategic alignment of the program with FEMA's 2011”
2014 strategic plan as described in the organization's operating plan
and focuses on the performance measures used to track progress and
measure outcomes achieved.
FEMA's Federal Insurance and Mitigation Administration is in the
process of aligning its annual operating plan, starting in FY 2012 to
the FEMA Strategic Plan for Mitigation and Insurance to demonstrate
progress toward meeting the top priority strategies outlined in the
plan. FEMA will provide the FEMA Strategic Plan for Mitigation and
Insurance as well as the Federal Insurance and Mitigation
Administration FY 2012 Annual Operation Plan to GAO when completed.
Recommendation #2: Develop a comprehensive workforce plan according to
PKEMRA that identifies agency staffing and skills requirements,
addresses turnover and staff vacancies, and analyzes FEMA's use of
contractors.
Response: Concur. DHS is already working to complete this task. FEMA
submitted its first Post-Katrina Emergency Management Reform Act of
2006-mandated Strategic Human Capital Plan (SHCP) to Congress on June
5, 2008. Annual updates to that plan have been submitted in the form
of an "operational plan" detailing action items designed to address
the goals of the SHCP.
Additionally, in 2009, FEMA along with the Homeland Security Studies
and Analysis Institute (HSSAI) completed Phase I of an assessment to
characterize the FEMA workforce in both steady state (normal day-to-
day operations) and disaster situations (when responding to an active
disaster), in order to identify workforce requirements to achieve FEMA
operational capabilities, identify gaps in the current workforce based
on the identified requirements, and develop workforce plans,
strategies, and tools to transform the current posture into the
workforce of the future.
Phase I (completed in FY 2010) was an "as is" baseline assessment of
FEMA's current federal workforce, including all disaster reservists.
The assessment provided FEMA with a snapshot of its federal workforce.
In addition, the study characterized FEMA's human capital resources,
what they do, and where they are located, geographically as well as
functionally.
For Phase II, FEMA has continued contracting with HSSAI. Phase II will
build on the first phase by identifying requirements for shaping the
workforce of the future to achieve FEMA's strategic goals. In
addition, Phase II will analyze FEMA's regional operations, assess
capability and capacity requirements, including conducting workforce
gap analysis, and study the contract workforce. Specifically, Phase II
will:
* Identify future capability requirements and align human capital
strategy with mission, goals, and/or organizational objectives;
* Identify the appropriate size, grades, demographics, locations,
functions, structure, and composition of the workforce needed to
address current and future workload requirements;
* Identify skill gaps or deficiencies that exist in mission critical
occupations;
* Develop and identify workforce strategies to overcome these skill
gaps;
* Identify the immediate manpower needs of FEMA's Regional Offices;
and;
* Identify and determine where FEMA's contract employees are located
(geographically), what they do, their contributions to FEMA, and what
the appropriate mix of contractors should be and their alignment to
the functional pillars.
Currently, HSSAI is in the process of conducting a literature search
and review and is interviewing the senior leadership so the contractor
understands the Agency's strategic direction. This will assist in
determining the "to be" state and identifying the needed future
workforce. FEMA will continue to work with HSSAI to complete this
assessment.
Recommendation #3: Direct the FIMA Acting Assistant Administrator to
develop a plan for continuing NFIP operations when staff are deployed
to respond to federal disasters.
Response: Concur. DHS will develop consistent agency level guidance
for component level business continuity plans. These plans will inform
Component leadership on the deployment of FEMA Headquarters staff
during catastrophic events so that program business functions will
continue to operate, should the need arise.
Recommendation #4: Direct the FIMA Acting Assistant Administrator and
the FEMA Mission Support Associate Administrator to develop protocols
to encourage and monitor collaboration between FIMA and relevant
support offices, including those for information technology,
acquisition management, and financial management.
Response: Concur. In 2010 the Mission Support Bureau (MSB) began to
conduct "listening sessions" with all FEMA program offices to better
understand the needs of their customers and encourage collaboration
between MSB and these offices. All items identified for action are
responded to promptly and a follow-up plan is provided to the program
office. All actions are closed out in a timely manner. As part of the
MSB Customer Assurance Program, DHS's goals are to continue to ensure
that FEMA customer organizations have a clear understanding of the
resources, tools, and support MSB can provide. To reduce bureaucracy,
streamline processes, and improve accountability and efficiency, DHS
also monitors the conditions under which that support can be provided,
and verifies that MSB processes, practices, and policies are well-
defined, clear, customer-focused, and support the efficient delivery
of service.
To improve FEMA's policies, procedures, and systems for achieving
NFIP' s program goals, GAO recommended that the Secretary of DHS
direct the FEMA Administrator to:
Recommendation #5:
* While waiting for DHS to implement an agency wide electronic
document management system, consider the costs and benefits of
implementing an interim system for FEMA and updating its document
management policies and procedures;
* Ensure that FEMA regularly reviews unliquidated obligations within
NFIP-related funds;
* Establish timelines for and complete the development and
implementation of FEMA's revised acquisition process, in line with the
DHS Acquisition Directive 102-01, including a rollout process with
staff training and a mechanism to better ensure that all acquisitions
undergo the necessary reviews; and;
* Ensure that FEMA Mission Support's business process reengineering
plans are expeditiously completed.
Response: Concur. DHS highlights the following achievements and
ongoing practices:
* Continue to provide interim guidance and policy to program offices
for records and document management while awaiting the implementation
of the DHS-wide system.
* In June 2009, FEMA published Interim CFO Directive 2600-008,
Managing Open Obligations, to identify policies and procedures for
quarterly reviews and annual certification of open obligations in
order to properly report obligation balances, certify the validity of
obligated balances and make funds available that otherwise might not
be used, reduce the risk of misuse and theft of funds, and to improve
the Treasury Department's ability to forecast outlay and borrowing
needs. This directive applies uniformly to all FEMA program offices,
including FIMA (FEMA's Federal Insurance and Mitigation
Administration).
* Continue to ensure that FEMA's revised acquisition process is in
line with DHS Acquisition Directive 102-01. FEMA continues to make a
major investment in improving its capability and capacity to manage
contracts and oversee acquisition programs. FEMA's accomplishments in
the acquisition process include:
- Established and began staffing a 26-person Disaster Assistance
Response Team to provide fully qualified acquisition personnel to
major disaster sites to provide consistent and Federal Acquisition and
Regulation (FAR)-compliant post-award contract administration on major
response and recovery contracts (e.g., IA TAC, PA TAC) that pose high
performance risks.
- Established a Regional Branch to provide a functional reporting
chain for all regional contract specialists to ensure the integrity of
acquisition actions, provide standardized contract awards and
administration, and ensure all acquisition personnel are supervised by
progressive levels of experienced Contract Specialists.
- Developed a FEMA Qualification System for all Disaster Assistance
Employees in the Acquisition Cadre (to build upon the Credentialing
System developed in calendar year 2010) that provides a framework for
building a qualified acquisition cadre to make better and more
consistent acquisition decisions.
- Increased acquisition training opportunities through the use of Web-
based training, periodic in-house policy and training seminars, and
self-directed "brown bag" training sessions where employees conduct a
review of GAO cases to increase the rate of acquisition lessons
learned.
- Established a system of positive file controls to ensure
availability and accountability of contract files.
- With respect to the Contracting Officer Technical Representative
(COTR) program, a tiered COTR certification system now exists to
ensure that COTRs are properly trained and equipped to manage
contracts, on the basis of size and complexity. COTRs are now
certified at three levels, with Tier III being the highest level
training. Today, there are a total of 1456 DHS certified COTRs, with
79 being Tier II certified, 166 being Tier III certified and the
remainder being Tier I certified. Approximately 260 COTRs are expected
to be Tier II and III certified this year.
- With respect to DHS certified Acquisition Program Managers (PMs),
there are 169 certified PMs of which 94 are PM Level 1, 58 are PM
Level 2, and 17 are PM Level 3 certified. Level 3 is the highest level.
- FEMA established the position of Acquisition Advisor to the Federal
Coordinating Officer (FCO) to provide needed visibility for the
acquisition function in a disaster field office and to provide
expedited acquisition expertise to the FCO, especially in the fast-
paced environment of the disaster response phase. This position was
activated for the first time during the response to Hurricanes Gustav
and Ike and proved to be quite successful in helping responders avoid
unauthorized commitments, and expedite procurements to meet their
response needs.
- FEMA continues to make progress on acquisition management, balancing
the use of prepositioned contracts with the requirements of Section
307 of the Stafford Act, which pertains to requiring FEMA to contract
with local vendors to the maximum extent possible when responding to a
declared major disaster. FEMA established the Local Business
Transition Team in response to Stafford Act Section 307 "Use of Local
Finns and Individuals," which facilitates the transition of disaster
requirements by assisting the Joint Field Office acquisition staff and
programs with identifying requirements, assessing transition
feasibility, and creating acquisition packages for contract award.
- The Acquisition Operations Division of The Office of the Chief
Procurement Officer, under which the majority of contracting officers
and contract specialists are employed, has an 85-percent fill rate and
continues to work to fill necessary positions.
- FEMA will continue to improve its capabilities by recruiting,
training, and retaining sufficient staff in all areas necessary to
ensure preparedness for a catastrophic disaster, and working closely
with the entire emergency management community. One of the most
important ways this is achieved is through partnerships at the federal
level.
* In 2009, MSB, formerly the Management Directorate underwent a
Business Process Improvement Initiative to provide the office with a
broader, deeper understanding of the day-to-day processes our offices
performs and identify areas for potential improvements across MSB. As
part of this review, MSB documented the 'as is' of all core business
processes, while identifying areas of efficiency and effectiveness.
This resulted in MSB identifying and documenting the future state of
these 'to be' processes to resolve issues, incorporate key controls,
and reflect industry best practices. This as part of FEMA's strategic
plan goal #5 "transforming into a results-oriented organization
focused on performance, strong financial management, and continuous
improvement of its business processes." As a result, the Agency will
be better able to achieve greater:
- Understanding: Increase visibility of core processes and develop
shared understanding and clarity of what each process entails;
- Efficiency: Free up bottlenecks and minimize redundancies across the
enterprise;
- Consistency: Establish repeatable, measurable, transferable
processes and target goals;
- Collaboration: Improve cross-MSB activities to enhance effectiveness
of our resources, personnel, and programs.
MSB has begun incorporating these lessons learned into our day-to-day
operations, and continues to look for opportunities to reengineer our
programs and process to provide the Timely, Positive, Accountable, and
Dependable support, tools, and resources the FEMA team needs to build,
sustain, and improve the capability to prepare for, protect against,
respond to, recover from, and mitigate against all hazards.
To improve the usefulness and reliability of NFIP's flood insurance
policy and claims processing system, GAO recommended that the
Secretary of DHS:
Recommendation #6:
* Direct the DHS Deputy Secretary, as the Chair of DHS's Acquisition
Review Board, to provide regular oversight of FEMA's next attempt to
modernize this system; and;
* Direct the FEMA Administrator to ensure that FEMA's Chief
Information Officer applies lessons learned from the NextGen
experience to the next modernization attempt. At a minimum, this
effort should ensure that (I) all levels of system requirement are
complete and clear and that key stakeholders are adequately involved
in requirements development and management, (2) key test events are
effectively managed, (3) project risks are proactively identified and
mitigated, and (4) project office staffing needs are properly assessed
and met.
Response: Concur. DHS is preparing an Acquisition Decision Memorandum
to elevate NFIP from a Level 3 to a Level 2 Special Interest program.
This will ensure that the program is designated for regular oversight
by DHS's Acquisition Review Board (ARB). In addition to this
designation, a formally established cross-functional Executive
Steering Committee will convene immediately. FEMA has made a
significant commitment to effectively overseeing its major acquisition
activities through the creation of a FEMA ARB, which is now fully
functional and supported by a staff of experts in acquisition program
management. All major acquisitions now must pass through this rigorous
review progress and are subject to periodic review by the ARB over the
life of the contract.
* The report reminds the Office of the Chief Information officer
(OCIO) that the Agency's IT strategy needs to be updated and re-
communicated to FEMA's staff and program offices. Over the past 4
years, FEMA OCIO has undertaken important initiatives and made great
progress in modernizing IT infrastructure, services, and systems.
These initiatives fall into three major functional areas: enterprise,
business, and mission. OCIO has continued its modernization efforts
and is applying lessons learned from the NextGen assessment to move
forward, working alongside its business partner to better understand
their program needs, and to conduct information gathering that will
inform the development of the Statement of Work, test identified
solutions, mitigate issues, and ensure adequate staffing to maintain
systems.
* Additionally, FEMA OCIO will continue to meet with senior leaders in
enterprise, business, and mission areas to ensure IT investments
support Agency mission goals. Meetings will be held on a quarterly
basis, and the results of the meetings will be posted to the
interactive IT strategy Website.
Thank you for the opportunity to review and comment on this draft
report. We look forward to working with you on future Homeland
Security engagements.
Sincerely,
Signed by:
Jim H. Crumpacker:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Orice Williams Brown, (202) 512-8678 or williamso@gao.gov.
Staff Acknowledgments:
In addition to the contact named above, Randy Hite (retired),
Director; William Woods, Director; Patrick Ward, Assistant Director;
Tonia Johnson, Assistant Director (in memoriam); Nima Patel Edwards;
Christopher Forys; Elena Epps; and Emily Chalmers made significant
contributions to this report. Other contributors included Tania
Calhoun; William R. Chatlos; Jim Crimmer; Marc Molino; Freda Paintsil;
Karl Seifert; and Christy Tyson.
[End of section]
Related GAO Products:
Flood Insurance: Public Policy Goals Provide a Framework for Reform.
[hyperlink, http://www.gao.gov/products/GAO-11-429T]. Washington,
D.C.: March 11, 2011.
FEMA Flood Maps: Some Standards and Processes in Place to Promote Map
Accuracy and Outreach, but Opportunities Exist to Address
Implementation Challenges. [hyperlink,
http://www.gao.gov/products/GAO-11-17]. Washington, D.C.: December 2,
2010.
National Flood Insurance Program: Continued Actions Needed to Address
Financial and Operational Issues. [hyperlink,
http://www.gao.gov/products/GAO-10-1063T]. Washington, D.C.: September
22, 2010.
Homeland Security: US-VISIT Pilot Evaluations Offer Limited
Understanding of Air Exit Options. [hyperlink,
http://www.gao.gov/products/GAO-10-860]. Washington, D.C.: August 10,
2010.
Department of Homeland Security: Assessments of Selected Complex
Acquisitions. [hyperlink, http://www.gao.gov/products/GAO-10-588SP].
Washington, D.C.: June 30, 2010.
National Flood Insurance Program: Continued Actions Needed to Address
Financial and Operational Issues. [hyperlink,
http://www.gao.gov/products/GAO-10-631T]. Washington, D.C.: April 21,
2010.
Financial Management: Improvements Needed in National Flood Insurance
Program's Financial Controls and Oversight. [hyperlink,
http://www.gao.gov/products/GAO-10-66]. Washington, D.C.: December 22,
2009.
Homeland Security: Despite Progress, DHS Continues to Be Challenged in
Managing Its Multi-Billion Dollar Annual Investment in Large-Scale
Information Technology Systems. [hyperlink,
http://www.gao.gov/products/GAO-09-1002T]. Washington, D.C.: September
15, 2009.
Flood Insurance: Opportunities Exist to Improve Oversight of the WYO
Program. [hyperlink, http://www.gao.gov/products/GAO-09-455].
Washington, D.C.: August 21, 2009.
Results-Oriented Management: Strengthening Key Practices at FEMA and
Interior Could Promote Greater Use of Performance Information.
[hyperlink, http://www.gao.gov/products/GAO-09-676]. Washington, D.C.:
August 17, 2009.
Information on Proposed Changes to the National Flood Insurance
Program. [hyperlink, http://www.gao.gov/products/GAO-09-420R].
Washington, D.C.: February 27, 2009.
High-Risk Series: An Update. [hyperlink,
http://www.gao.gov/products/GAO-09-271]. Washington, D.C.: January
2009.
Homeland Security: U.S. Visitor and Immigrant Status Indicator
Technology Program Planning and Execution Improvements Needed.
[hyperlink, http://www.gao.gov/products/GAO-09-96]. Washington, D.C.:
December 12, 2008.
Department of Homeland Security: A Strategic Approach Is Needed to
Better Ensure the Acquisition Workforce Can Meet Mission Needs.
[hyperlink, http://www.gao.gov/products/GAO-09-30]. Washington, D.C.:
November 19, 2008.
Department of Homeland Security: Billions Invested in Major Programs
Lack Appropriate Oversight. [hyperlink,
http://www.gao.gov/products/GAO-09-29]. Washington, D.C.: November 18,
2008.
Flood Insurance: Options for Addressing the Financial Impact of
Subsidized Premium Rates on the National Flood Insurance Program.
[hyperlink, http://www.gao.gov/products/GAO-09-20]. Washington, D.C.:
November 14, 2008.
Tax Administration: IRS Needs to Strengthen Its Approach for
Evaluating the SRFMI Data-Sharing Pilot Program. [hyperlink,
http://www.gao.gov/products/GAO-09-45]. Washington, D.C.: November 7,
2008.
Flood Insurance: FEMA's Rate-Setting Process Warrants Attention.
[hyperlink, http://www.gao.gov/products/GAO-09-12]. Washington, D.C.:
October 31, 2008.
Secure Border Initiative: DHS Needs to Address Significant Risks in
Delivering Key Technology Investment. [hyperlink,
http://www.gao.gov/products/GAO-08-1086]. Washington, D.C.: September
22, 2008.
National Flood Insurance Program: Financial Challenges Underscore Need
for Improved Oversight of Mitigation Programs and Key Contracts.
[hyperlink, http://www.gao.gov/products/GAO-08-437]. Washington, D.C.:
June 16, 2008.
Natural Catastrophe Insurance: Analysis of a Proposed Combined Federal
Flood and Wind Insurance Program. [hyperlink,
http://www.gao.gov/products/GAO-08-504]. Washington, D.C.: April 25,
2008.
National Flood Insurance Program: Greater Transparency and Oversight
of Wind and Flood Damage Determinations Are Needed. [hyperlink,
http://www.gao.gov/products/GAO-08-28]. Washington, D.C.: December 28,
2007.
National Disasters: Public Policy Options for Changing the Federal
Role in Natural Catastrophe Insurance. [hyperlink,
http://www.gao.gov/products/GAO-08-7]. Washington, D.C.: November 26,
2007.
Business Systems Modernization: Department of the Navy Needs to
Establish Management Structure and Fully Define Policies and
Procedures for Institutionally Managing Investments. [hyperlink,
http://www.gao.gov/products/GAO-08-53]. Washington, D.C.: October 31,
2007.
Federal Emergency Management Agency: Ongoing Challenges Facing the
National Flood Insurance Program. [hyperlink,
http://www.gao.gov/products/GAO-08-118T]. Washington, D.C.: October 2,
2007.
National Flood Insurance Program: FEMA's Management and Oversight of
Payments for Insurance Company Services Should Be Improved.
[hyperlink, http://www.gao.gov/products/GAO-07-1078]. Washington,
D.C.: September 5, 2007.
Information Technology: FBI Following a Number of Key Acquisition
Practices on New Case Management System, but Improvements Still
Needed. [hyperlink, http://www.gao.gov/products/GAO-07-912].
Washington, D.C.: July 30, 2007.
National Flood Insurance Program: Preliminary Views on FEMA's Ability
to Ensure Accurate Payments on Hurricane-Damaged Properties.
[hyperlink, http://www.gao.gov/products/GAO-07-991T]. Washington,
D.C.: June 12, 2007.
Coastal Barrier Resources System: Status of Development That Has
Occurred and Financial Assistance Provided by Federal Agencies.
[hyperlink, http://www.gao.gov/products/GAO-07-356]. Washington, D.C.:
March 19, 2007.
Budget Issues: FEMA Needs Adequate Data, Plans, and Systems to
Effectively Manage Resources for Day-to-Day Operations. [hyperlink,
http://www.gao.gov/products/GAO-07-139]. Washington, D.C.: January 19,
2007.
National Flood Insurance Program: New Processes Aided Hurricane
Katrina Claims Handling, but FEMA's Oversight Should Be Improved.
[hyperlink, http://www.gao.gov/products/GAO-07-169]. Washington, D.C.:
December 15, 2006.
Enterprise Architecture: Leadership Remains Key to Establishing and
Leveraging Architectures for Organizational Transformation.
[hyperlink, http://www.gao.gov/products/GAO-06-831]. Washington, D.C.:
August 14, 2006.
Information Technology: Customs Has Made Progress on Automated
Commercial Environment System, but It Faces Long-Standing Management
Challenges and New Risks. [hyperlink,
http://www.gao.gov/products/GAO-06-580]. Washington, D.C.: May 31,
2006.
Homeland Security: Progress Continues, but Challenges Remain on
Department's Management of Information Technology. [hyperlink,
http://www.gao.gov/products/GAO-06-598T]. Washington, D.C.: March 29,
2006.
GAO's High-Risk Program. [hyperlink,
http://www.gao.gov/products/GAO-06-497T]. Washington, D.C.: March 15,
2006.
Federal Emergency Management Agency: Challenges for the National Flood
Insurance Program. [hyperlink,
http://www.gao.gov/products/GAO-06-335T]. Washington, D.C.: January
25, 2006.
Results-Oriented Government: Practices That Can Help Enhance and
Sustain Collaboration among Federal Agencies. [hyperlink,
http://www.gao.gov/products/GAO-06-15]. Washington, D.C.: October 21,
2005.
Federal Emergency Management Agency: Improvements Needed to Enhance
Oversight and Management of the National Flood Insurance Program.
[hyperlink, http://www.gao.gov/products/GAO-06-119]. Washington, D.C.:
October 18, 2005.
Framework for Assessing the Acquisition Function at Federal Agencies.
[hyperlink, http://www.gao.gov/products/GAO-05-218G]. Washington,
D.C.: September 2005.
Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity. [hyperlink,
http://www.gao.gov/products/GAO-04-394G]. Washington, D.C.: March 2004.
Human Capital: Key Principles for Effective Strategic Workforce
Planning. [hyperlink, http://www.gao.gov/products/GAO-04-39].
Washington, D.C.: December 11, 2003.
Information Technology: A Framework for Assessing and Improving
Enterprise Architecture Management (Version 1.1). [hyperlink,
http://www.gao.gov/products/GAO-03-584G]. Washington, D.C.: April 2003.
Tax Administration: IRS Needs to Further Refine Its Tax Filing Season
Performance Measures. [hyperlink,
http://www.gao.gov/products/GAO-03-143]. Washington, D.C.: November
22, 2002.
Internal Control Management and Evaluation Tool. [hyperlink,
http://www.gao.gov/products/GAO-01-1008G]. Washington, D.C.: August
2001.
Determining Performance and Accountability Challenges and High Risks.
[hyperlink, http://www.gao.gov/products/GAO-01-159SP]. Washington,
D.C.: November 2000.
Standards for Internal Control in the Federal Government. [hyperlink,
http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. Washington, D.C.:
November 1999.
Budget Issues: Budgeting for Federal Insurance Programs. [hyperlink,
http://www.gao.gov/products/GAO/T-AIMD-98-147]. Washington, D.C.:
April 23, 1998.
Budget Issues: Budgeting for Federal Insurance Programs. [hyperlink,
http://www.gao.gov/products/GAO/AIMD-97-16]. Washington, D.C.:
September 30, 1997.
Agencies' Strategic Plans under GPRA: Key Questions to Facilitate
Congressional Review. [hyperlink,
http://www.gao.gov/products/GAO/GGD-10.1.16]. Washington, D.C.: May
1997.
[End of section]
Footnotes:
[1] GAO, GAO's High-Risk Program, [hyperlink,
http://www.gao.gov/products/GAO-06-497T] (Washington, D.C.: Mar. 15
2006).
[2] KMPG LLC conducts the annual DHS financial statement audit.
[3] Pub. L. No. 90-448, Title XIII, § 1302, 82 Stat. 476 (1968).
[4] This number reflects the four components of the NFIP premium: (1)
Building Coverage, (2) Contents Coverage, (3) Increased Cost of
Construction Coverage, and (4) Federal Policy Fee.
[5] GAO's 2009 high-risk list has designated Implementing and
Transforming the Department of Homeland Security as a high-risk
program. Also, see GAO, Department of Homeland Security: Actions Taken
Toward Management Integration, but a Comprehensive Strategy Is Still
Needed, [hyperlink, http://www.gao.gov/products/GAO-10-131]
(Washington, D.C.: Nov. 20, 2009) and Department of Homeland Security:
A Comprehensive and Sustained Approach Needed to Achieve Management
Integration, [hyperlink, http://www.gao.gov/products/GAO-05-139]
(Washington, D.C.: Mar. 16, 2005).
[6] FIMA has three divisions with separate flood risk management
functions: the Risk Analysis Division identifies flood risk,
particularly through mapping efforts; the Risk Reduction Division
involves flood plain management and manages a number of grant programs
that help mitigate high-risk properties; and the Risk Insurance
Division manages the insurance program.
[7] During the course of this engagement, FEMA changed OCFO's
reporting structure so that OCFO now reports directly to the FEMA
administrator, as reflected in Figure 1 below.
[8] FEMA, Strategic Plan, Fiscal Years 2011-2014, Publication 806,
February 2011.
[9] Pub. L No. 103-62, § 3, 107 Stat. 285 (1993), codified at 5 U.S.C.
§ 306. GPRA was recently amended by the GPRA Modernization Act of
2010, Pub. L. No. 111-352, 124 Stat. 3866 (2011).
[10] See GAO, Agencies' Strategic Plans Under GPRA: Key Questions to
Facilitate Congressional Review, [hyperlink,
http://www.gao.gov/products/GAO/GGD-10.1.16] (Washington, D.C.: May
1997).
[11] Senate Committee on Governmental Affairs, S. Rep. No. 103-58,
103d Cong., 1st Sess. (1993), at 15.
[12] See GAO, Standards for Internal Control in the Federal
Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[13] See GAO, Tax Administration: IRS Needs to Further Refine Its Tax
Filing Season Performance Measures, [hyperlink,
http://www.gao.gov/products/GAO-03-143] (Washington, D.C.: Nov. 22,
2002). In this report, GAO developed nine attributes of performance
goals and measures based on previously established GAO criteria.
[14] See [hyperlink, http://www.gao.gov/products/GAO-03-143].
[15] FIMA officials said that FIMA previously required the regions and
its three divisions to use and report on a much more robust set of
performance measures--called "scorecards"--to supplement the five
primary measures. However, when management changed in 2007, the
measures were still new and staff were not yet using them. Current
management no longer requires the regions and divisions to report
these measures, and they have not been used since 2007. NFIP
communities develop Hazard Mitigation Plans to understand the risks
that hazards pose and include priorities for and strategies to avoid
or minimize the undesired effects of hazards.
[16] The Post-Katrina Emergency Management Reform Act of 2006 was
enacted as Title VI of the Department of Homeland Security
Appropriations Act, 2007, Pub. L. No. 109-295, 120 Stat. 1355 (2006).
[17] National Academy of Public Administration (NAPA), FEMA's
Integration of Preparedness and Development of Robust Regional
Offices. (Washington, D.C.: October 2009).
[18] See GAO, Human Capital: Key Principles for Effective Strategic
Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39]
(Washington, D.C.: Dec. 11, 2003), and Budget Issues: FEMA Needs
Adequate Data, Plans, and Systems to Effectively Manage Resources for
Day-to-Day Operations, [hyperlink,
http://www.gao.gov/products/GAO-07-139] (Washington, D.C.: Jan. 19,
2007).
[19] National Academy of Public Administration, FEMA's Integration of
Preparedness and Development of Robust Regional Offices (Washington
D.C.: October 2009).
[20] Homeland Security Studies and Analysis Institute, FEMA's
Workforce Baseline Assessment (Arlington, Va.: March 2010).
[21] See Homeland Security Studies and Analysis Institute, Federal
Emergency Management Agency Workforce Baseline Assessment, Final
Report (Arlington, Va.: Mar. 31, 2010).
[22] Pub. L. No. 111-117, § 743, 123 Stat. 3034, 3216 (2009).
[23] Full-time equivalent (FTE) is a measure of employment used by the
federal government to calculate the total number of regular, straight-
time hours worked by employees divided by the number of compensable
hours applicable to each fiscal year.
[24] See [hyperlink, http://www.gao.gov/products/GAO-07-139].
[25] See Homeland Security Studies and Analysis Institute, Federal
Emergency Management Agency Workforce Baseline Assessment, Final
Report; (Arlington, Va.: Mar. 31, 2010). According to the Homeland
Security Studies and Analysis Institute's March 2010 report, FEMA has
approximately 9,000 temporary "surge" employees who were on call to
respond to a disaster. In January 2010, half of these employees had
declared themselves unavailable, and approximately 1,720 were deployed
to 119 active disaster sites, leaving an actual surge capacity of
around 2,800 staff.
[26] The goal of business continuity planning management is to keep
operations running in the event of a disruption to normal business
practices. As a program, it includes activities such as planning, risk
analysis, providing backup facilities, succession plans, and impact
assessments.
[27] See [hyperlink, http://www.gao.gov/products/GAO-07-139].
[28] See GAO, Results-Oriented Government: Practices That Can Help
Enhance and Sustain Collaboration among Federal Agencies, [hyperlink,
http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: Oct. 21,
2005).
[29] Within this overarching goal for participation by small business
concerns are goals for small business concerns owned and controlled by
service-disabled veterans, qualified HUBZone small business concerns,
small business concerns owned and controlled by socially and
economically disadvantaged individuals, and small business concerns
owned and controlled by women. 15 U.S.C. § 644(g)(1).
[30] The Head of Contracting Activity is a federal employee who, by
position or appointment, is responsible for managing the entire
acquisition function within an organizational element. This position
is located within FEMA's Mission Support Bureau.
[31] The Small Business Administration is responsible for assigning
procurement center representatives (PCR) to major contracting offices
at federal agencies to implement small business policies and programs.
Each federal agency that has procurement authority is required to have
an Office of Small and Disadvantaged Business Utilization (OSDBU) help
oversee the agency's functions and duties related to the awarding of
contracts and subcontracts to small and disadvantaged businesses. DHS
requires its OSDBU to review every proposed new contract requirement
estimated to exceed $100,000 and all modifications to contracts
involving new work not required under the original contract. DHS also
requires its PCR to review all purchases greater than $2 million.
[32] FIMA staff also said that FEMA's attorneys had not allowed them
to require that contractors have specific flood insurance experience.
The attorneys said that doing so would improperly restrict competition
and added they did not believe that the insurance experience required
for contracts needed to be specifically with flood insurance.
[33] DHS Office of the Inspector General, Independent Auditor's Report
on DHS' FY 2009 Financial Statements and Internal Control over
Financial Reporting, OIG-10-11 (Washington, D.C.: Nov. 13, 2009).
[34] DHS Office of the Inspector General, Independent Auditors' Report
on DHS' FY 2010 Financial Statements and Internal Control over
Financial Reporting, OIG-11-09 (Washington, D.C.: Nov. 12, 2010).
[35] NARA is an independent agency that oversees management of federal
government records including presidential libraries and historic
collections.
[36] For purposes of federal records management laws and regulations,
"records" include all books, papers, maps, photographs, machine
readable materials, or other documentary materials, regardless of
physical form or characteristics, made or received by an agency of the
United States government under federal law or in connection with the
transaction of public business and preserved or appropriate for
preservation by that agency or its legitimate successor as evidence of
the organization, functions, policies, decisions, procedures,
operations, or other activities of the government or because of the
informational value of the data in them. 44 U.S.C. § 3301.
[37] A file plan is a comprehensive outline that includes the records
series, file organization, active file locations, file transfer
instructions, file retention and disposition instructions, and other
specific instructions that provide guidance for effective management
of records, including vital records.
[38] Federal records management laws and regulations include
provisions in chapters 21, 29, 31, and 33 of Title 44 of the U.S.
Code, and their implementing regulations, as well as the Paperwork
Reduction Act of 1980, as amended, 44 U.S.C. §§ 3501 et seq.
[39] DHS Office of the Inspector General, Department of Homeland
Security's Acquisition Data Management Systems, OIG-10-42 (Washington,
D.C.: Jan. 25, 2010) and Challenges Facing FEMA's Disaster Contract
Management, OIG-09-70 (Washington, D.C.: May 8, 2009).
[40] See GAO, Financial Management: Improvements Needed in National
Flood Insurance Program's Financial Controls and Oversight,
[hyperlink, http://www.gao.gov/products/GAO-10-66] (Washington, D.C.:
Dec. 22, 2009).
[41] An unliquidated obligation, also called an undelivered order, is
the value of goods and services ordered and obligated that have not
been received. This amount may also include any orders for which
advance payment has been made but for which delivery or performance
has not yet occurred.
[42] The $3.0 million includes about $61,000 that has been identified
to be deobligated, $739,000 that is currently under review, and $2.17
million that requires review to close. Further, the current $3.3
million had decreased from $10.2 million in May 2010.
[43] DHS Management Directive No.1400, Investment Review Process,
Draft Version 2.0 (March 2006).
[44] The NextGen system was intended to (1) collect data to determine
premium rates, (2) collect data on flood claims, (3) track the
progress of policies and claims, and (4) prepare legislatively
mandated reports for Congress.
[45] DHS Acquisition Directive No. 102-01, Draft Version 1.9 (Nov. 7,
2008) and DHS Acquisition Management Directive No. 102-01, (Jan. 20,
2010).
[46] While FEMA currently lacks its own acquisition directive, it is
still expected to adhere to the DHS guidance.
[47] The DHS ARB is required for acquisition programs at or above $300
million in life cycle costs and enterprise service contracts at or
above $100 million in annual expenditure.
[48] These programs include Disaster Assistance Improvement Plan
(DAIP), Grants Management Integrated Environment (GMIE), Housing
Inspection Services (HIS), Integrated Public Alert and Warning System
(IPAWS), Logistics Supply Chain Management System (LSCMS), Mt. Weather
Emergency Operations Center (MWEOC), National Medical Transport and
Support Contract (NMTSC), Responder Support Camp (RSC), and Risk
Mapping Assessment and Planning (RiskMAP).
[49] See GAO, National Flood Insurance Program: Financial Challenges
Underscore Need for Improved Oversight of Mitigation Programs and Key
Contracts, [hyperlink, http://www.gao.gov/products/GAO-08-437]
(Washington, D.C.: June 16, 2008).
[50] DHS Office of the Inspector General, Department of Homeland
Security's Acquisition Data Management Systems, OIG-10-42 (Washington,
D.C.: Jan. 25, 2010).
[51] FEMA, Directive FD 228-1, Contracting Officer's Technical
Representative (COTR) (Sept. 28, 2009).
[52] FEMA, Contracting Officer's Technical Representative (COTR)
Handbook, Version 1 (February 2009).
[53] According to FEMA, about 95 percent of NFIP policies are written
by insurance agents who represent private insurance companies that
issue policies and process flood claims under their own names (write-
your-own, or WYO, insurers). The other 5 percent of the policies are
sold and serviced by state-licensed insurance agents and brokers that
rely on FEMA for claims processing.
[54] Carnegie Mellon Software Engineering Institute, Capability
Maturity ModelŽIntegration for Development, Version 1.2 (Pittsburgh,
Penn.: Aug. 2006). The Capability Maturity ModelŽ Integration for
Development (CMMI), developed by the Software Engineering Institute of
Carnegie Mellon University, defines key practices that are recognized
hallmarks for successful organizations that, if effectively
implemented, can greatly increase the chances of successfully
developing and acquiring software and systems.
[55] FEMA, National Flood Insurance Program Flood Insurance Manual
(May 2006); National Flood Insurance Program Specific Rating
Guidelines (May 2008); and National Flood Insurance Program
Transaction Record Reporting and Processing (TRRP) Plan for the Write
Your Own (WYO) Program (May 2006).
[56] FEMA, FEMA Enterprise Applications Development, Integration, and
Sustainment, Requirements Validation Document of Findings, NFIP-WO28
(Washington, D.C.: Jan. 18, 2010).
[57] See GAO, Secure Border Initiative: DHS Needs to Address
Significant Risks in Delivering Key Technology Investment, [hyperlink,
http://www.gao.gov/products/GAO-08-1086] (Washington, D.C.: Sept. 22,
2008).
[58] Software Engineering Institute, Capability Maturity Model
Integration for Acquisition, version 1.2 (Pittsburgh, Pa.: November
2007); and Institute of Electrical and Electronics Engineers, Standard
829-2008 Software and System Test Documentation (New York, N.Y.: July
18, 2008).
[59] Institute of Electrical and Electronics Engineers, Inc.,
Standards for Software and System Test Documentation, IEEE Std. 829-
2008 (New York, N.Y.: July 18, 2008).
[60] The COTR reviews contractor performance regularly, ensures that
contractual milestones are met and standards are being maintained,
conducts regular inspections of contractor deliverables throughout the
contract period, and ensures that all contract conditions and clauses
are acted upon.
[61] GAO, Tax Administration: IRS Needs to Strengthen Its Approach for
Evaluating the SFRMI Data-Sharing Program, [hyperlink,
http://www.gao.gov/products/GAO-09-45] (Washington, D.C.: Nov. 7,
2008) and Homeland Security: US-VISIT Pilot Evaluations Provide
Limited Understanding of Air Exit Options, [hyperlink,
http://www.gao.gov/products/GAO-10-860] (Washington, D.C.: Aug. 10,
2010).
[62] Software Engineering Institute, Capability Maturity Model
Integration for Acquisition, version 1.2 (Pittsburgh, Pa.: November
2007); and Institute for Electrical and Electronics Engineers,
Standard 829-2008 Software and System Test Documentation (New York,
N.Y.: July 18, 2008).
[63] Office of Management and Budget, Capital Planning Guide:
Supplement to Circular A-11, part 7, (Washington D.C.: June 2006).
[64] See GAO, Homeland Security: U.S. Visitor and Immigrant Status
Indicator Technology Program Planning and Execution Improvements
Needed, [hyperlink, http://www.gao.gov/products/GAO-09-96] (Washington
D.C.: Dec. 12, 2008).
[65] DHS, Improvement Needed in FEMA's Management of the National
Flood Insurance Program's Information Technology Transition, OIG-10-76
(Washington, D.C.: Mar. 31, 2010).
[66] See GAO, Information Technology: FBI Following a Number of Key
Acquisition Practices on New Case Management System, but Improvements
Still Needed, [hyperlink, http://www.gao.gov/products/GAO-07-912]
(Washington, D.C.: July 30, 2007) and Information Technology: Customs
Has Made Progress on Automated Commercial Environment System, but It
Faces Long-Standing Management Challenges and New Risks, [hyperlink,
http://www.gao.gov/products/GAO-06-580] (Washington, D.C.: May 31,
2006).
[67] See GAO, Homeland Security: Despite Progress, DHS Continues to Be
Challenged in Managing Its Multi-Billion Dollar Annual Investment in
Large-Scale Information Technology Systems, [hyperlink,
http://www.gao.gov/products/GAO-09-1002T] (Washington, D.C.: Sept. 15,
2009); Homeland Security: Progress Continues, but Challenges Remain on
Department's Management of Information Technology, [hyperlink,
http://www.gao.gov/products/GAO-06-598T] (Washington, D.C.: Mar. 29,
2006); and Business Systems Modernization: Department of the Navy
Needs to Establish Management Structure and Fully Define Policies and
Procedures for Institutionally Managing Investments, [hyperlink,
http://www.gao.gov/products/GAO-08-53] (Washington, D.C.: Oct. 31,
2007).
[68] DHS, Acquisition Directive 102-01, Interim Version 1.9
(Washington, D.C.: Nov. 7, 2008) and Acquisition Instruction/Guidebook
102-01-01, Interim Version 1.9 (Washington, D.C.: Nov. 7, 2008).
[69] Generally, repetitive loss properties are those that have had two
or more flood insurance claims payments of $1,000 or more over a
period of 10 years.
[70] NFIP's Direct Servicing Agent program collects premiums,
underwrites and produces policies, and settles claims for policies
that insurance agents obtain for property owners directly from NFIP
rather than through a WYO insurer.
[71] FEMA has three separate mitigation grant programs, each with
different types of requirements, purposes, and appropriations: the
Flood Mitigation Assistance Program (FMA), the Repetitive Flood Claims
Program (RFC), and the Severe Repetitive Loss Program (SRL). Moreover,
the Hazard Mitigation Grant Program (HMGP) and the Pre-Disaster
Mitigation Program (PDM) are two additional hazard mitigation programs
that are not specific to flooding.
[72] Mandatory spending refers to outlays resulting from budget
authority that is provided in laws other than appropriation acts,
while discretionary spending is provided in and controlled by
appropriation acts.
[73] As of February 2011, FIMA did not have an appointed
administrator. FIMA has had an acting administrator since April 2009.
[74] See GAO, Flood Insurance: Options for Addressing the Financial
Impact of Subsidized Premium Rates on the National Flood Insurance
Program, [hyperlink, http://www.gao.gov/products/GAO-09-20]
(Washington, D.C.: Nov. 14, 2008).
[75] See GAO, Budget Issues: Budgeting for Federal Insurance,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-97-16] (Washington,
D.C.: Sept. 30, 1997).
[76] See [hyperlink, http://www.gao.gov/products/GAO-09-20].
[77] NFIP's PRP offers low-cost flood insurance to owners and tenants
of residential and nonresidential buildings located in moderate-to low-
risk areas as long as the property has not, within any 10-year period,
incurred two or more flood insurance claim payments or disaster relief
payments (including loans and grants), each more than $1,000.
[78] The National Flood Insurance Act of 1968, as amended, authorizes
FEMA to carry out NFIP to enable persons to buy insurance against
losses arising from flood. The statute defines flood as including
sudden, flood-event-triggered collapses or subsidences of land along
the shore of a body of water, but the statute's definition of flood
does not include the gradual, long-term erosion that may endanger
coastal communities. See 42 U.S.C. §§ 4001, 4002 and 4121(c).
[79] Bunning-Bereuter-Blumenauer Flood Insurance Reform Act of 2004,
Pub. L. No. 108-264, 118 Stat. 712 (2004). The act amended the
existing definition of the term "repetitive loss structure" to the
current one: a structure covered by a contract for flood insurance
that has incurred flood-related damage on two occasions, in which the
cost of repair, on the average, equaled or exceeded 25 percent of the
value of the structure at the time of each such flood event; and at
the time of the second incidence of flood-related damage, the contract
for flood insurance contains increased cost of compliance coverage,
which can help property owners pay for the cost of mitigation measures
for flood-damaged properties. 42 U.S.C. § 4121(a).
[80] See GAO, National Disasters: Public Policy Options for Changing
the Federal Role in Natural Catastrophe Insurance, [hyperlink,
http://www.gao.gov/products/GAO-08-7] (Washington, D.C.: Nov. 26,
2007).
[81] See [hyperlink, http://www.gao.gov/products/GAO-09-20].
[82] Homeland Security Studies and Analysis Institute (HSSAI), FEMA
Workforce Baseline Assessment (Arlington, Va.: Mar. 31, 2010).
[83] See GAO, Agencies' Strategic Plans Under GPRA: Key Questions to
Facilitate Congressional Review, [hyperlink,
http://www.gao.gov/products/GAO/GGD-10.1.16] (Washington, D.C.: May
1997) and Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[84] See GAO, Results-Oriented Government: Practices That Can Help
Enhance and Sustain Collaboration among Federal Agencies, [hyperlink,
http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: Oct. 21,
2005).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
