IRS Management
IRS Practices Contribute to Its Resilience, but It Would Benefit from Additional Emergency Planning Efforts Gao ID: GAO-09-418 April 9, 2009The Internal Revenue Service (IRS) collects the revenues that fund the federal government and issues billions of dollars in refunds. Consequently, IRS's ability to demonstrate agility and speed in restoring its functions after a disruption is vital to the government and the economy. GAO (1) identified the definition and attributes of organizational resilience; (2) examined the extent to which these attributes are exhibited within IRS; and (3) reviewed the challenges and opportunities faced by the IRS in becoming more resilient. GAO gathered and analyzed the attributes of resilience based on discussions with academic and practitioner experts in the field. GAO then reviewed IRS human capital and emergency preparedness policies and strategic plans, observed campus operations and emergency working group meetings, and interviewed officials from headquarters and each of the four business units.
Organizational resilience is the quality that would enable an organization to restore itself or thrive following a disruption that substantially compromises its ability to accomplish its mission. Five categories of attributes can help an organization be more resilient: robust emergency planning, flexible organizational assets that can be accessed during times of change, leadership capacity distributed through the organization, a committed and skilled workforce, and strong relationships with internal networks and outside organizations. Although each of these categories is important, the characteristics of whatever disruption an organization faces may make some attributes more valuable than others. In its emergency planning, IRS has learned from experiences requiring organizational resilience. For example, during the peak operations of the 2008 filing season, the economic stimulus legislation required that the IRS process stimulus payments totaling $94 billion. Through adjustments to the workforce, IRS was able to implement the change and delivered a generally successful filing season, while making key trade-offs. Although the IRS has learned from past events, its current test and exercise strategy is limited. Functional or full-scale exercises--which are not part of IRS's strategy-- provide more realistic conditions and a better experience to prepare the leadership and emergency personnel to contend with an actual event. Demonstrating the ways that IRS has flexible organizational assets that can be accessed during times of change, IRS strategically has made some operations redundant, which allows work to be shifted between offices when needed. The IRS has also exhibited the capability to use seasonal workers to increase its workforce after a disruption, as was the case in the support it provided to the Federal Emergency Management Agency after Hurricane Katrina. In building leadership and a committed workforce, the IRS has numerous formal training and development initiatives to build the leadership capability of both its management team as well as its non supervisory employees. While IRS employees understand how their work contributes to the IRS's goals and priorities, currently less than half of IRS employees believe that agency leaders and managers generate motivation and commitment in the workforce. A number of IRS initiatives are now in place to address this issue, including coaching of managers based on employee feedback survey data and outreach by managers to IRS employees. Lastly, IRS is highly networked both within and outside of IRS, which provides opportunities for accessing additional resources after a disruption. IRS has requirements for including internal stakeholders in tests and exercises. When IRS has involved external stakeholders in tests and exercises, it has proven useful, but this practice is neither formalized nor widespread.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-09-418, IRS Management: IRS Practices Contribute to Its Resilience, but It Would Benefit from Additional Emergency Planning Efforts
This is the accessible text file for GAO report number GAO-09-418
entitled 'IRS Management: IRS Practices Contribute to Its Resilience,
but It Would Benefit from Additional Emergency Planning Efforts' which
was released on May 11, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Committee on Finance, U.S. Senate:
United States Government Accountability Office:
GAO:
April 2009:
IRS Management:
IRS Practices Contribute to Its Resilience, but It Would Benefit from
Additional Emergency Planning Efforts:
GAO-09-418:
GAO Highlights:
Highlights of GAO-09-418, a report the Committee on Finance U.S.
Senate.
Why GAO Did This Study:
The Internal Revenue Service (IRS) collects the revenues that fund the
federal government and issues billions of dollars in refunds.
Consequently, IRS‘s ability to demonstrate agility and speed in
restoring its functions after a disruption is vital to the government
and the economy. GAO (1) identified the definition and attributes of
organizational resilience; (2) examined the extent to which these
attributes are exhibited within IRS; and (3) reviewed the challenges
and opportunities faced by the IRS in becoming more resilient. GAO
gathered and analyzed the attributes of resilience based on discussions
with academic and practitioner experts in the field. GAO then reviewed
IRS human capital and emergency preparedness policies and strategic
plans, observed campus operations and emergency working group meetings,
and interviewed officials from headquarters and each of the four
business units.
What GAO Found:
Organizational resilience is the quality that would enable an
organization to restore itself or thrive following a disruption that
substantially compromises its ability to accomplish its mission. Five
categories of attributes can help an organization be more resilient:
robust emergency planning, flexible organizational assets that can be
accessed during times of change, leadership capacity distributed
through the organization, a committed and skilled workforce, and strong
relationships with internal networks and outside organizations.
Although each of these categories is important, the characteristics of
whatever disruption an organization faces may make some attributes more
valuable than others.
In its emergency planning, IRS has learned from experiences requiring
organizational resilience. For example, during the peak operations of
the 2008 filing season, the economic stimulus legislation required that
the IRS process stimulus payments totaling $94 billion. Through
adjustments to the workforce, IRS was able to implement the change and
delivered a generally successful filing season, while making key trade-
offs. Although the IRS has learned from past events, its current test
and exercise strategy is limited. Functional or full-scale exercises”
which are not part of IRS‘s strategy”provide more realistic conditions
and a better experience to prepare the leadership and emergency
personnel to contend with an actual event.
Demonstrating the ways that IRS has flexible organizational assets that
can be accessed during times of change, IRS strategically has made some
operations redundant, which allows work to be shifted between offices
when needed. The IRS has also exhibited the capability to use seasonal
workers to increase its workforce after a disruption, as was the case
in the support it provided to the Federal Emergency Management Agency
after Hurricane Katrina.
In building leadership and a committed workforce, the IRS has numerous
formal training and development initiatives to build the leadership
capability of both its management team as well as its non supervisory
employees. While IRS employees understand how their work contributes to
the IRS‘s goals and priorities, currently less than half of IRS
employees believe that agency leaders and managers generate motivation
and commitment in the workforce. A number of IRS initiatives are now in
place to address this issue, including coaching of managers based on
employee feedback survey data and outreach by managers to IRS
employees.
Lastly, IRS is highly networked both within and outside of IRS, which
provides opportunities for accessing additional resources after a
disruption. IRS has requirements for including internal stakeholders in
tests and exercises. When IRS has involved external stakeholders in
tests and exercises, it has proven useful, but this practice is neither
formalized nor widespread.
What GAO Recommends:
IRS should establish a plan to conduct a limited number of functional
or full-scale exercises, evaluate their costs and benefits, and include
adjustments as appropriate. Some degree of stress should be included in
routine evacuation and shelter in place drills. Lastly, IRS should also
include external stakeholders in tests and exercises. In response, IRS
agreed with all three recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-418]. For more
information, contact Bernice Steinhardt at (202) 512-6543 or
steinhardt@gao.gov.
[End of section]
Contents:
Letter:
Background:
Some Organizational Attributes Can Contribute to Resilience:
Lessons Learned Enhance IRS Resilience, but Current Emergency Planning
Could Cover a Wider Range of Disruptions:
IRS's Redundant Facilities and Telework Capabilities Increase
Resilience:
IRS Has Many Systems to Build Leadership, Accountability, and
Commitment in Its Employees:
IRS Has a Number of Networks but Could Include Stakeholders to a
Greater Extent:
Conclusions:
Recommendations:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Expanded Discussion of Organizational Resilience
Attributes:
Appendix III: Comments from the Internal Revenue Service:
Appendix IV: GAO Contact and Staff Acknowledgements:
Tables:
Table 1: IRS Has Initiatives to Develop the Leadership Skills and
Commitment in the Workforce:
Table 2: Examples of IRS External Networks:
Figures:
Figure 1: Framework of Organizational Resilience:
Figure 2: Distributed Capacity in IRS Operations:
Figure 3: Framework of Organizational Resilience:
Abbreviations:
FEMA: Federal Emergency Management Agency:
IRS: Internal Revenue Service:
LMSB: Large and Mid-Size Business:
SB/SE: Small Business/Self Employed:
TE/GE: Tax Exempt and Government Entities:
TIGTA: Treasury Inspector General for Tax Administration:
W&I: Wage and Investment:
Y2K: Year 2000:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
April 9, 2009:
The Honorable Max Baucus:
Chairman:
The Honorable Charles E. Grassley:
Ranking Member:
Committee on Finance:
United States Senate:
The functioning of the Internal Revenue Service (IRS) is vital to the
overall operations of government and the economic health of the nation.
In fiscal year 2007, IRS collected almost $2.4 trillion in taxes, which
represented about 17 percent of the United States Gross Domestic
Product. IRS also issued about $300 billion in refund payments to
taxpayers. IRS's capacity to demonstrate resilience--which we define as
its ability to restore itself or thrive following a disruption that has
the potential to substantially compromise IRS's capability to
accomplish its mission--is key to its ability to fill its important
role for the nation.
You asked us to review emergency preparedness in IRS operations. In
light of a review of IRS emergency plans by the Treasury Inspector
General for Tax Administration (TIGTA), we agreed to review practices
of IRS which would help make it more resilient.[Footnote 1] In the
conduct of our review, we (1) identified the definition and attributes
of resilience which an organization may exhibit prior to a disruption
that has the potential to substantially compromise the organization's
ability to accomplish its mission; (2) examined the extent to which
these attributes are present among IRS's business operating divisions;
and (3) reviewed the challenges and opportunities faced by IRS in
becoming more resilient.
To identify the attributes of organizational resilience, we reviewed
the literature regarding resilience from the fields of psychology;
ecology; organizational and management science; high-reliability
organizations; continuity; and disaster management, as well as relevant
GAO and TIGTA reports. We selected 11 academic and practitioner experts
to interview based on their publications, contributions to the field of
organizational resilience, and frequent citation by other experts.
Using an iterative process with these experts, we developed a list of
21 attributes which the experts associated with organizational
resilience. We assigned these attributes to five broad categories:
emergency planning, organizational flexibility, leadership, workforce
commitment, and networks. To examine the evidence of organizational
resilience among IRS's business operating divisions and the challenges
and opportunities that IRS faces in becoming more resilient, we
reviewed IRS policies and manuals, observed the operations of the Joint
Operations Center and the Processing Center during a site visit to
IRS's Atlanta campus, observed the IRS Emergency Management and
Preparedness Working Group, completed an analysis of IRS employee
survey data, and interviewed IRS officials from headquarters and each
of the four business units.
We conducted this performance audit from January 2008 to April 2009, in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
We assessed the reliability of the IRS's employee survey data by (1)
performing electronic testing of required data elements, (2) reviewing
existing information about the data and the system that produced them,
and (3) interviewing agency officials knowledgeable about the data. We
determined that the data were sufficiently reliable for the purpose of
this report. Additional details on our scope and methodology can be
found in appendix I.
Background:
The Internal Revenue Service:
IRS's mission is to provide America's taxpayers top-quality service by
helping them understand and meet their tax responsibilities and by
applying the tax law with integrity and fairness to all. To fulfill
this mission, IRS has more than 100,000 employees deployed among more
than 600 offices nationwide and in select international cities. Some of
these offices are part of eight IRS campuses, which have the physical
facilities for processing tax forms and some of the facilities to
respond to customer inquiries. In response to the increased electronic
filing of taxes, IRS is consolidating the physical facilities it uses
for processing tax forms, also called processing centers. The rest of
IRS's work is completed in noncampus offices and on-site at taxpayer
offices, such as large corporations.
Following the IRS Restructuring and Reform Act of 1998, IRS organized
itself into four business units to serve different types of
taxpayers.[Footnote 2] The Wage and Investment (W&I) business unit
works with individual taxpayers; the Small Business/Self-Employed (SB/
SE) business unit works with full or partially self employed
individuals and small businesses; the Large and Mid-Size Business
(LMSB) works with corporations and partnerships with assets greater
than $10 million; and the Tax Exempt and Government Entities (TE/GE)
business unit works with employee plans, tax exempt organizations, and
governments.
Organizational Resilience:
The concept of resilience has gained particular importance and
application in a number of areas of federal planning. Both the Congress
and executive branch agencies have addressed resilience in relation to
the importance of the recovery of the nation's critical infrastructure
from damage.[Footnote 3] Accordingly, most of the current focus is on
assets, systems, and networks rather than agencies or organizations. In
February 2006, the Task Force of the Homeland Security Advisory Council
defined resiliency[Footnote 4] as "the capability of a system to
maintain its functions and structure in the face of internal and
external change and to degrade gracefully when it must." Later in 2006,
the Department of Homeland Security's National Infrastructure
Protection Plan--again focusing on critical infrastructure, not
agencies--defined resilience as "the capability of an asset, system, or
network to maintain its function during or to recover from a terrorist
attack or other incident."[Footnote 5] In May 2008, the House Committee
on Homeland Security held a series of hearings focusing on resilience
at which government and private sector representatives, while agreeing
on the importance of the concept, presented a variety of definitions
and interpretations of resilience.[Footnote 6] For the purposes of this
report, when we discuss resilience, we will be referring to
organizational resilience.
At the agency level, the current focus is primarily on continuity of
operations and the recently issued Federal Continuity Directives.
According to the Federal Continuity Directive 1, "an organization's
continuity capability--its ability to perform its essential functions
continuously--rests upon key components and pillars, which are in turn
built on the foundation of continuity planning and program management."
[Footnote 7] The Federal Continuity Directive states that an
organization's resilience is directly related to the effectiveness of
its continuity capability. In contrast to continuity of operations,
organizational resilience looks at more than just essential functions,
and accordingly, we have developed the five categories described below.
Some Organizational Attributes Can Contribute to Resilience:
Because there is no widely accepted definition, we defined
organizational resilience for the purposes of our report and developed
a framework to assess a federal agency's resilience. Organizational
resilience is the quality that would enable an organization to restore
itself or thrive following a disruption that has the potential to
substantially compromise the organization's ability to accomplish its
mission. A highly resilient organization is identified by the speed and
agility it demonstrates in achieving a return to its normal state (or
new normal state) and its resulting enhanced ability to respond to
future disruptions.
To make our definition of organizational resilience more practical and
observable, we identified 21 attributes particularly associated with
resilience and assigned them to five related categories. These
categories provide a useful assessment framework. (See figure 1.) These
related categories are:
* emergency planning,
* organizational flexibility,
* leadership,
* workforce commitment, and:
* networked organizations.
However, whatever assessments are undertaken, it is important to note
that the severity or circumstance of a particular disruption to an
organization may be so severe or unusual as to make recovery not
attainable even if the organization has evidenced attributes of
resilience prior to the disruption. Similarly, given the specific
nature of the disruption or the specific circumstances of the
disruption, perhaps one attribute relative to others may prove
particularly useful in helping the organization to recover
successfully.
The attributes associated with organizational resilience are discussed
in summary below and each attribute is discussed in greater detail in
appendix II.
Figure 1: Framework of Organizational Resilience:
[Refer to PDF for image: illustration]
Interlocking concepts form a circle around the term Organizational
Resilience. Those concepts are:
Emergency planning;
Organizational flexibility;
Leadership;
Workforce commitment;
Networked organizations.
Source: GAO.
[End of figure]
Emergency Planning:
Emergency planning identifies disruptions that could potentially affect
an organization and defines and tests strategies to face those
disruptions or similar challenges.[Footnote 8] For example, in 2004,
the Federal Emergency Management Agency's (FEMA) Hurricane Pam exercise
simulated a category 3 hurricane. In the exercise scenario, 15 to 20
feet of water inundated New Orleans. This scenario was similar to the
actual conditions of Hurricane Katrina. Based on this exercise, FEMA
was able to implement some strategies which proved helpful during
Hurricane Katrina, such as FEMA's working with hospital and university
officials to create temporary medical operations around the state.
However, FEMA's exercise also identified other problems that it did not
address, such as the need to plan for evacuating those with special
needs.[Footnote 9]
Attributes Associated with Emergency Planning:
* Test and exercise requirements that challenge employees to respond to
unexpected and stressful circumstances that require adjustments to
established plans and procedures;
* Incorporation of lessons learned from tests, exercises, and past
disruptions into its emergency plans;
* Management decisions based on risk assessments;
* Employees at all levels and in various units and locations of the
organization who are involved in emergency planning efforts.
Organizational Flexibility:
A resilient organization has a workforce that can respond to a range of
disruptions with appropriate purpose, initiative, and comfort with
change. One aspect of organizational flexibility is an ability to
accept change as a learning opportunity. For example, the 9/11
Commission report criticized the Federal Aviation Administration for
failing to consider in its planning the possibility of certain types of
terrorist attacks. Specifically, the commission determined that if the
agency had examined a possible suicide hijacking and reviewed existing
security provisions, they could have identified vulnerabilities.
According to the commission, agencies tend to accept the status quo,
and accept that efforts to identify or fix certain vulnerabilities are
too costly, controversial, or disruptive to fix.[Footnote 10] This
inability to tackle necessary change can leave an organization with
unaddressed vulnerabilities, as was the case with the Federal Aviation
Administration.
Additionally, knowing when to change rules helped give federal agencies
access to additional resources during the Year 2000 (Y2K) Computing
Challenge. Specifically, increased latitude with human capital
practices in the federal government allowed agencies to access a larger
pool of skilled employees that could be allocated as needs arose. The
Office of Personnel Management recognized that personnel would need to
be increased to meet Y2K compliance and provided additional, more
flexible hiring authorities for agencies who needed employees to work
on the conversion. This included changing some authorities for re-
hiring federal retirees, exceptions on limitations on premium pay, and
providing retention allowances.[Footnote 11] Prior GAO work credited
creative human capital decisions and an adequate pool of human
resources as contributing to the federal government's ability to meet
the Y2K challenge.
Attributes Associated with Organizational Flexibility:
* Employees with sufficient breadth of expertise to contribute to
resumption efforts in a variety of ways;
* Redundant or alternate paths to achieve results;
* Financial, physical, information technology, and human resources
managed with an adequate margin to respond to unexpected events;
* A culture that encourages:
- Employee creativity and innovation;
- Acceptance of change and uncertainty as a learning opportunity.
Leadership:
Leaders who demonstrate respect for their employees and are accountable
for results are more likely to garner the employee commitment that will
be needed after a disruption that substantially compromises the
organization's ability to accomplish its mission. Additionally, when
leadership abilities are distributed broadly through the workforce, an
organization is more likely to be resilient. For example, the Senate
Homeland Security and Governmental Affairs Committee found that, after
Hurricane Katrina, the Coast Guard had empowered front-line leaders to
make decisions when they needed to be made, which it found was perhaps
more important to their resilience than their regular
training.[Footnote 12] Also, once it was known that the September 11
hijackers entered the United States on valid visas, the Department of
State devolved leadership authority by empowering consular staff to
distinguish legitimate visitors from potential terrorists through
antiterrorism training, access to databases with names of potential
terrorists, foreign language training, and more staff to handle the
workload.[Footnote 13]
Attributes Associated with Leadership:
* Treating employees with respect and acknowledging the needs of
employees;
* Preparing employees to exercise leadership when necessary, which
includes making appropriate decisions and in some cases, commitments on
behalf of the organization;
* Delegating responsibility based on knowledge of employee skills and
past work experiences;
* Building an empowered and effective workforce by supporting employee
achievement and professional development;
* Holding leaders accountable for results; having tools that hold staff
accountable for results.
Workforce Commitment:
Within a workforce that is committed to the organization, individuals
are motivated to make significant personal investments and provide the
knowledge that may be necessary for organizational success following a
disruption. One aspect of employee commitment is understanding the ways
that the organization works. One expert referred to this attribute as
the ability to "have the organization in your head." For example, a
bipartisan House of Representatives committee reported after Hurricane
Katrina that a lack of understanding of the command and control
structure among employees slowed and complicated the response effort
after the hurricanes.[Footnote 14] Another key aspect of this category
is a workforce with the needed skills to meet the organization's
mission. The committee report also noted that, after Hurricanes Katrina
and Rita, the Department of Homeland Security and FEMA were not
prepared, in part, due to a lack of experienced and trained staff.
[Footnote 15]
Attributes Associated with a Workforce Commitment:
* Employees who understand and are committed to the organization's
mission and values and their roles within the organization;
* Employees with the skills necessary to meet the organization's
mission and address any problems that may arise;
* Employees who understand the broader implications of their work and
the downsides of possible failure, who demonstrate appropriate actions
when faced with potential disruptions.
Networked Organizations:
Solid internal and external networks can facilitate and strengthen
other resilience attributes. For example, having dependable connections
will likely expand and expedite an organization's access to resources
when the organization is faced with a disruption. Specifically, being
aware of interdependencies, knowing when reinforcement is needed, and
being able to communicate among interdependent units can give an
organization an extended reach for information, resources, and advice.
Furthermore, an organization's knowledge of its supply chain
interdependencies can help identify vulnerabilities, which can inform
risk assessments and emergency planning. For example, after the
terrorist attacks of September 11, 2001, many companies in the
financial sector found that they relied on the same electronic data
system backup sites, which were also affected by the attacks. As a
result, key institutions realized that their individual plans for
preparedness for disasters or other crises significantly affected
others, both directly and indirectly. Accordingly, the Securities and
Exchange Commission recommended that financial institutions explore the
usefulness of coordinated testing of plans.[Footnote 16] Additionally,
the Y2K challenge was met through the collaborative efforts of the
Congress, the administration, federal agencies, state and local
governments, and the private sector. Had any of these sectors failed to
take the Y2K problem seriously, neglected to remedy computer systems,
or failed to work together with partners on common issues such as
contingency planning, critical services could have been disrupted.
[Footnote 17]
Attributes Associated with Networked Organizations:
* A plan and means to communicate with target audiences;
* Formal and informal intra-organizational networks;
* Clearly identifying critical suppliers, assessing their reliability,
and considering the availability of alternate arrangements in
emergencies;
* Reliable partnerships with community and peer organizations;
employees who are connected to other organizations through professional
associations and networks.
Although these five categories of attributes contribute to
organizational resilience, all disruptions are individual situations
and even a relatively resilient organization may not be able to restore
operations under certain circumstances. Furthermore, during a
disruption, some attributes may prove to be more important than others.
For example, IRS found that, after the 2006 flood of IRS headquarters,
IRS did not have to activate its headquarters continuity of operations
plan. Alternate work space was quickly made available for all
headquarters employees, so identifying critical personnel, a required
step of continuity of operations planning, was much less important.
Additionally, with many attributes, excess of a positive attribute
becomes negative. For example, too much experience with change could
make employees suffer from innovation fatigue and become less open and
receptive to change.
Lessons Learned Enhance IRS Resilience, but Current Emergency Planning
Could Cover a Wider Range of Disruptions:
Emergency Planning:
* Incorporation of lessons learned from tests, exercises, and past
disruptions into emergency plans.
IRS has a record of responding to external events, which have offered
lessons and opportunities for IRS to strengthen practices that enhance
resilience. The examples below show how IRS was able respond to
unanticipated external events because it had learned from prior
experiences.
* IRS was able to improve the speed of its response to disruptions by
adapting its information technology processes. After Hurricanes Katrina
and Rita in August and September 2005, IRS deployed more than 5,000
employees at its call sites to help register disaster victims with
FEMA.[Footnote 18] During the response effort, IRS officials estimated
that IRS staff may have handled more than 50 percent of FEMA's calls.
In order to fill this increased need for capacity, IRS expanded the
size of its workforce by bringing back about 4,000 seasonal employees,
who are typically hired to assist with the tax filing season.[Footnote
19] IRS completed a similar service for FEMA during Hurricanes Ike and
Gustav in 2008, and was able to incorporate lessons learned from the
response to Hurricanes Katrina and Rita. Specifically, during the
response to Katrina and Rita, IRS employees were able to log into
either the IRS system or the FEMA system but not quickly able to
transition between the two to serve the needs of the individual
callers. After this experience, IRS's information technology staff
identified ways for IRS employees to toggle between the two systems and
thus work where demand was greatest.
* IRS implemented lessons from past stimulus payments and delivered a
generally successful tax filing season. During the peak of the 2008
taxpayer filing season, IRS also had to process payments to taxpayers
as directed by the 2008 economic stimulus legislation.[Footnote 20] IRS
processed stimulus payments totaling $94 billion and handled more than
twice as many calls from individuals looking for assistance than they
received in 2007.[Footnote 21] In addition, IRS processed almost 9
million "economic stimulus only" tax returns from individuals who would
not otherwise have had to file a return. Because many of these
individuals had never filed a return, the error rate on these returns
was higher than usual. Because of the timing of the economic stimulus
package, IRS did not have time to hire, conduct background checks for,
and train additional staff to handle the increased volume of telephone
calls for taxpayer assistance. Instead, IRS maximized the use of its
workforce by asking its compliance staff to answer incoming calls from
taxpayers about the stimulus. IRS knew the adjustments that it would
have to make to its workforce based on its experience implementing past
economic stimulus bills. As a result, even with this increased
workload, IRS was also able to deliver a generally successful filing
season. Nevertheless IRS had to make trade-offs in other key areas. As
a result of decisions to shift staff from collection cases to telephone
assistance, IRS estimated that its costs and foregone revenues would
reach up to $960 million.
IRS has been generally successful in the face of past disruptions.
However valuable these experiences have been, though, they can not
provide experiences for all possible disruptions nor provide experience
to all IRS employees. For example, an influenza pandemic, in which a
large portion of the workforce could be absent from work for extended
periods, would entail a different type of response from the experiences
required by past events. Accordingly, IRS relies on its emergency
planning process and its test and exercise plans to assist in preparing
for disruptions it has not yet experienced.
A Full Range of Tests and Exercises Is Not Included in IRS's Strategy:
Emergency Planning:
* Test and exercise requirements that challenge employees to respond to
unexpected and stressful circumstances that require adjustments to
established plans and procedures.
IRS's test and exercise strategy focuses on four types of tests and
exercises. First, call tree tests check the accuracy and completeness
of contact information for key emergency personnel. Second, IRS staff
annually check that all four types of IRS business continuity plans are
up to date and accurate.[Footnote 22] Third, key emergency response
personnel from each business unit are required to complete a tabletop
exercise in which they familiarize themselves with the business
resumption plan, their roles within the plan, and the steps they would
take in case of an emergency. Participants in the tabletop exercise
then walk through possible scenarios to discuss ways they would
respond. Last, in large geographic areas, emergency personnel from
multiple business units participate together in an integrated tabletop
exercise. The goal of the integrated tabletop exercise is to provide a
better understanding of how emergency response personnel from different
organizations work together and identify the required time needed for
resumption and recovery activities.
The tabletop exercises--while required agencywide since September 2006-
-are not regularly conducted. TIGTA found that more than half of the
business resumption plans they sampled had not been tested through
tabletop exercises in calendar year 2007.[Footnote 23] In addition, IRS
officials noted that the tabletop exercises are not always well
designed. For example, they said that one tabletop exercise presented
so many scenario events that participants found the exercise to be
unrealistic and, during the exercise, chose to decrease the number of
scenario events and the duration of the exercise. In response to the
need to improve exercises across IRS and implement new requirements
from the Federal Continuity Directives, IRS assembled its Emergency
Management and Preparedness Working Group, which coordinates emergency
activities among its business units, for a 2-day workshop. With the
goal of reducing the variation in the quality of the tabletop
exercises, the workshop leaders discussed and encouraged sharing among
all the participants of how to prepare and conduct successful tabletop
exercises.[Footnote 24] Headquarters has also recently made additional
resources available to assist the business units with implementing the
tabletop exercises. For example, they recently established the Incident
Management Business Resumption Group as a resource available to the
business units to plan and conduct training, testing, and exercises.
In addition to tabletop exercises, FEMA has identified and recommended
two additional types of tests and exercises:
* Functional exercise: fully simulated interactive exercise that tests
the capability of an organization to respond to a simulated event. This
type of exercise strives for realism, short of actual deployment of
equipment and personnel.
* Full-scale exercise: a simulated emergency event, as close to reality
as possible. It involves all emergency response functions and requires
full deployment of equipment and personnel.[Footnote 25]
The value of exercises that involve simulation was underscored by the
experts we interviewed. They noted that a resilient organization
provides opportunities for employees to respond to stressful
circumstances. The simulations involved in these types of exercises
create more realistic conditions and a better experience to prepare
employees to contend with an actual emergency event.
The senior IRS official responsible for emergency preparedness believes
that these more in-depth tests and exercises would be beneficial
because they would stretch IRS leadership and emergency personnel to
confront and learn from more realistic challenges. As part of this
discussion, he acknowledged that these more extensive tests and
exercises are more expensive than tabletop exercises and require a
significant time commitment from agency personnel. Accordingly, he
thought that it would be better to initially implement these tests on a
limited pilot basis.
According to the experts we interviewed, some of the benefits of a
functional or full-scale exercise may be accomplished with the
investment of fewer resources, by simply making routine drills more
stressful by taking steps such as withholding an expected resource. For
example, one IRS campus held a fire drill in which use of cell phones
was prohibited. This experience taught employees to practice different
modes of communication and to use "runners" to spread information among
employees. This same campus held an additional evacuation drill where
selected employees remained in the building during the drill to test
the ability of the employees tasked with assuring the building was
cleared of occupants to locate missing employees.[Footnote 26]
IRS's Redundant Facilities and Telework Capabilities Increase
Resilience:
Organizational Flexibility:
* Redundant or alternate paths to achieve results.
IRS has a strategy to build resilience through geographic dispersion of
leadership, data systems, personnel, and other capabilities.
Accordingly, IRS's campus operations are carried out at eight locations
across the country; each campus has the capability to handle taxpayer
calls and process tax returns. (See figure 2.) The network of IRS
campuses is geographically dispersed and also highly redundant in
function. IRS officials have stated that, after a disruption, all
campus operations could be transferred to another campus if needed.
Also, work is routinely shifted among campuses if the workload of one
campus exceeds the campus's capacity.[Footnote 27]
IRS has made strategic decisions based on the importance of flexibility
to its overall resilience. Specifically, to reduce unneeded capacity
caused by the increase in the number of taxpayers submitting tax
returns electronically, IRS is in the process of consolidating its
total number of paper processing centers. However, in considering the
optimal number of paper processing centers to retain for individual
returns, IRS officials used an analysis of the potential effects, in
the face of an emergency, of losing some campus redundancies. Based on
this analysis, IRS will keep three--rather than two--individual tax
return sites open. When combined with two paper processing centers for
small business tax returns, IRS will have a total of five centers that
process paper tax forms, making it better able, in its view, to
maintain the degree of flexibility that it needs for resilience.
In other IRS operations that do not require as much access to IRS
equipment and facilities, distributed capacity is achieved through
moving work among a dispersed workforce. To move work among noncampus
employees--who typically work in field offices or on site with a
taxpayer--the business units have developed electronic case management
files and have given employees access to laptops so that work can be
completed from any site. This is important because, in many cases, the
work of the noncampus employees is highly specialized, and accordingly,
IRS officials said that they preferred to keep workload within a
business unit after a disruption rather than redistributing it to other
business units.
Figure 2: Distributed Capacity in IRS Operations:
[Refer to PDF for image: map of the United States]
This map illustrates the distributed capacity in IRS operations by
indicating the locations of the following:
Individual returns processing center;
Business and exempt organization returns processing center;
Processing centers previously or to be consolidated;
[All processing centers are networked].
Call centers (all call centers are networked).
Source: GAO analysis of IRS data.
[End of figure]
In contrast, the call center operations are routinely shifted among
individuals--located at 26 call sites nationwide--who respond to
taxpayer questions. The Joint Operations Center, located at the Atlanta
campus, routes incoming calls for taxpayer assistance to available
assistors. This center monitors the number of calls and customer
waiting times and distributes calls across its nationwide network of
call centers. This process allows IRS to ensure that taxpayer calls are
promptly answered by directing the workload to the first available
individual who is able to provide taxpayer assistance. Furthermore, the
Joint Operations Center itself is redundant; another fully capable
Joint Operations Center is located in Memphis, Tennessee.
Organizational Flexibility:
* Employees with sufficient breadth of expertise to contribute to
resumption efforts in a variety of ways.
Within a campus, many employees can perform multiple tasks and can be
reassigned within the campus as needed. As workload needs change,
employees are routinely shifted between managing telephone and paper
correspondence from taxpayers. Furthermore, as needed, employees who
process paper returns are routinely shifted between jobs, such as
sorting or examining envelopes to ensure that checks have not been left
behind. This provides the flexibility needed for the campus operations
to respond to change.
Organizational Flexibility:
* Financial, physical, information technology, and human resources
managed with an adequate margin to respond to unexpected events.
In past disruptions, IRS has used its seasonal workforce to respond to
changing circumstances. IRS has a seasonal workforce of about 30,000
workers, who are needed to assist IRS as the workload increases during
tax filing season. IRS contacts seasonal employees needed for each
day's workload, allowing the IRS campus workforce to expand and
contract as needed. During emergencies, IRS has called on these
employees for other purposes as well. For example, as discussed above,
IRS called on 4,000 seasonal workers to assist FEMA in responding to
calls for assistance after Hurricanes Katrina and Rita.[Footnote 28]
IRS has also demonstrated the ability to be flexible after disruptions
and reallocate physical resources quickly. For example, as a result of
a flood at IRS headquarters building during a period of record rainfall
in June 2006, the building sustained extensive damage to its
infrastructure, and critical parts of the building's electrical and
mechanical equipment were destroyed or heavily damaged, requiring the
headquarters building to be closed until December 2006 to allow for
repairs. Within 1 month of the flood, over 2,000 employees normally
assigned to the headquarters building were relocated to 15 other
locations throughout the Washington, D.C., metropolitan area.
IRS Has Many Systems to Build Leadership, Accountability, and
Commitment in Its Employees:
Leadership:
* Leaders who build an empowered and effective workforce by supporting
employee achievement and professional development;
* Leaders who are accountable for results; tools that hold staff
accountable for results.
Workforce Commitment:
* Employees who understand and are committed to the organization's
mission and values and their roles within the organization.
IRS has many systems in place to develop its overall leadership
capability. Among these are readiness programs to develop managers and
executive leadership (see table 1 for details). Through coursework and-
-in the case of executive development programs--rotational
opportunities, these programs are designed to help employees develop
leadership skills and assess whether a manager position fits their
career interest and abilities. Participants can learn about and try
manager competencies without committing to a position, and managers can
identify talented future managers without promising every participant a
manager position. After completing a program, interested participants
are selected for positions on a competitive basis. Not only are these
programs intended to help address IRS's projected need for managers,
they allow nonmanagers to be trained in leadership skills, which
distributes leadership skills throughout the IRS workforce and could be
helpful in assisting IRS during a disruption. For the past five years,
the IRS Commissioner and Oversight Board have received quarterly
updates on the percent of managers completing these programs in a
timely manner. We have reported that attention from high level agency
officials to training initiative performance measures can directly
contribute to the development of employees who are capable and
motivated to accomplish the agency's mission and goals.[Footnote 29]
Accordingly, based on the performance information he has received, the
IRS Commissioner determined that employees would be better able to
fulfill agency needs by making adjustments to IRS's criterion for
timeliness. Specifically, IRS managers are now expected to receive
training before or within 9 months of their promotion, a shorter time
frame than was the case in the past.
Table 1: IRS Has Initiatives to Develop the Leadership Skills and
Commitment in the Workforce:
Initiative name: Readiness Programs;
Description: These programs develop management-and executive-level
staff from within the IRS workforce and can range in duration from 3
weeks to 2 years. Programs include Frontline Manager, Department
Manager, Senior Manager, and Executive Readiness. The programs offer
coursework, mentoring, and--in the case of the Executive Readiness
Program--rotations.
Initiative name: Employee Engagement Index;
Description: This index was developed for the IRS and is calculated
using 11 questions selected from the IRS Employee Survey intended to
measure employee engagement. The IRS defines employee engagement as the
degree of employees' motivation, commitment, and involvement in the
mission of the organization. IRS has created a benchmark for this index
and monitors its progress on a yearly basis.
Initiative name: Leadership Coaching Program;
Description: Managers receiving a score in the bottom 10 percent of
performing groups--based on the Employee Engagement Index--are enrolled
in the coaching program to improve management skills and employee
engagement. Through the program, about 8,700 managers have received
management reports documenting strengths and weaknesses. W&I managers
not identified within the bottom 10 percent of employee engagement have
joined the coaching program at their own request.
Initiative name: Engagement Strategy (ES) Tracker;
Description: This is a management tool to identify and elevate issues
from the workgroup level up to senior leadership. Issues can cover a
variety of concerns including facilities, management, work process, or
employee engagement concerns. The elevation of the issue stops with the
resolution of the issue.
Initiative name: Workforce of Tomorrow;
Description: This task force will review IRS's strategies to attract
and prepare for workforce challenges over the next five to ten years.
There are six focus areas: reinforce a culture that values people and
their contributions; enhance the role of managers; attract and retain
the best; streamline the hiring process; grow future leaders; and plan
a dynamic people strategy. Teams created with members of readiness
programs will develop plans and initiatives for each of the six focus
areas.
Source: GAO analysis of IRS data.
[End of table]
Workforce Commitment:
* Employees who understand and are committed to the organization's
mission and values and their roles within the organization;
* Employees who understand the broader implications of their work and
the downsides of possible failure.
IRS's performance management system is structured to build employees'
understanding of the organization's mission and values and their roles
within the organization. Through the performance management system, all
managers are expected to set employee expectations and align these
expectations with the IRS mission and strategic objectives. We have
reported that an explicit alignment of employee expectations with
broader organizational goals is a defining feature of an effective
performance management system in high performing organizations. We have
noted that these organizations use their performance management systems
to improve performance by helping individuals see the connection
between their daily activities and organizational goals, and this type
of system encourages individuals to focus on their roles and
responsibilities to help meet their goals.[Footnote 30] Accordingly,
IRS employees have communicated through employee interviews and surveys
that they know their roles in the organization's mission. The 2008 IRS
Employee Survey found that more than 85 percent of respondents IRS-wide
agree with the statement, "I know how my work relates to the agency's
goals and priorities."[Footnote 31]
Managers are also held accountable for the engagement of the employees
whom they supervise, an asset to resilient organizations. All managers
are held directly accountable for their workgroup's score on an
Employee Engagement Index, which is based on the annual IRS Employee
Survey. (See table 1 for details.)[Footnote 32] IRS defines employee
engagement as the degree of employees' motivation, commitment, and
involvement in the mission of the organization, and has created IRS-
wide annual targets to increase engagement scores. Managers of
workgroups that receive a score in the bottom 10 percent of all IRS
workgroups are automatically enrolled in the Leadership Coaching
Program. (See table 1 for details.) The coaching program is intended to
give these managers greater tools for improving or addressing employee
concerns. Managers in all four IRS business units broadly praised the
program. Additionally, according to IRS, scores on questions in the
engagement index improved by almost 40 percent between 2007 and 2008
for workgroups with managers in the coaching program.
Another IRS-wide initiative aimed at bolstering management
accountability for employee engagement is ES Tracker. (See table 1.)
Issues from the Employee Survey, workgroup issues, or other concerns
are entered into a database by workgroup managers. Managers are
responsible for taking action on the items or elevating them up the
management chain until an individual or committee addresses the issue.
For example, in a recent meeting of one workgroup, current employees
expressed frustration with the skill sets of newly hired employees.
They mentioned a past practice that included an additional level of
screening before hiring employees, and asked that management explain
why this screening was no longer in place. This question was entered
into ES Tracker and elevated for management to address.[Footnote 33]
Through ES Tracker, employees have also shared new and useful
technologies to make work more efficient and improve taxpayer
relations. For example, workgroups identified the need for financial
market data terminals which would assist IRS staff. The employees said
that the software would validate source information that taxpayers
provided to TE/GE revenue agents. These technologies were provided to
workgroups after management was alerted through ES Tracker. The Human
Capital Office can track trends in the system across IRS. This
transparency helps increase accountability by allowing employees to see
what issues management has addressed.
Although IRS has a number of programs in place to build staff
motivation, less than half of respondents in the 2008 IRS Employee
Survey agree with the statement, "In my organization, leaders generate
high levels of motivation and commitment in the workforce." This is
lower than the percentage of IRS employees responding positively to
most other survey questions, with which an average of more than 65
percent agreed. According to IRS managers, this response may be due to
the geographic dispersion of IRS offices and hierarchical distance
between employees and leadership. In many cases, IRS employees will
only see IRS senior leaders once a year, if at all. Many of the IRS
managers we talked to expressed concern about this disconnect and have
developed individual methods in addition to the IRS and division
initiatives to bridge the geographic and professional distance between
leadership and frontline workers. Managers and leaders have reported
including their pictures on e-mail messages, creating intranet pages to
communicate with employees, and making visits to IRS sites. Formal
initiatives include town hall meetings, which are run by IRS leadership
and provide employee exposure to senior leadership and a forum for
leadership to address employees. Additionally, E-talk, a Web-based
comment submission system, allows employees in one business unit to
anonymously share positive and negative comments directly with senior
leadership. IRS has included this survey question in the above
discussed employee engagement index, and accordingly, the steps taken
in response to the index--such as the coaching initiative--may affect
this score.
IRS Has a Number of Networks but Could Include Stakeholders to a
Greater Extent:
Networks:
* Formal and informal intra-organizational networks;
* Employees who understand the broader implications of their work and
the downsides of possible failure.
Despite IRS's large size and distributed workforce, there are many
formal ways for employees to communicate across different parts of the
agency.[Footnote 34] At the time of our review, IRS had a number of
cross-business-unit initiatives, including over two dozen internal
advisory committees to address human capital, technology, security, and
other operational issues. Also, business units have established working
groups, as needed, to address cross-functional tax administration
issues, and in some cases, teams of employees from multiple units do
the work.
Some of IRS's formal and informal human capital practices further
enhance internal networks. Formally, participants in the Executive
Readiness Program may complete assignments in other units of IRS. This
helps employees make contacts throughout the agency and observe the
operations of other units, which may better enable them to call on
others for assistance in the face of a disruption. IRS is also
developing corporatewide training for its Revenue Agent staff, a
position that is common to many of the business units. The training
will help employees to make contacts throughout the agency. Many IRS
employees move between business units during their careers. For
example, IRS's Workforce Plan shows that it is common for SB/SE
employees to move to LMSB.
IRS also works with a number of outside groups. Table 2 highlights
examples of such groups.
Table 2: Examples of IRS External Networks:
Network: Professional associations and taxpayer groups;
Purpose: IRS uses professional associations and taxpayer groups to help
with outreach and education, and to provide feedback on tax law
implementation.[A] For example, TE/GE's Advisory Committee on Tax
Exempt Entities--composed of stakeholders from governments, employee
plan providers, and tax-exempt organizations--provides consultation
with IRS on tax administration issues and helps provide outreach to
TE/GE constituencies.
Network: IRS Oversight Board;
Purpose: The Oversight Board focuses on strategic issues facing IRS.
Seven of the nine board seats are for organizations related to IRS and
help bring outside contacts and ideas into IRS. A recent board meeting
brought together representatives from private organizations to discuss
how they manage risks and mitigate vulnerabilities, and what IRS could
do to anticipate and prepare for unexpected risks.
Network: IRS-sponsored conferences and events;
Purpose: The annual Nationwide Tax Forum and other regular meetings
provide opportunities for interaction between IRS leaders and tax
professionals.
Network: Volunteer groups;
Purpose: IRS has relationships with over 12,000 volunteer groups
nationwide. These groups assist during filing season and these
connections between IRS and taxpayer community groups can prove useful
during a disruption. For example, SB/SE has agreements with tax
professionals in remote areas where IRS has no personnel to disseminate
IRS information in the event of a disaster.
Network: Intergovernmental groups and partnerships;
Purpose: IRS participates in the Government Contact Center Council,
sponsored by the General Services Administration, which facilitates the
sharing of best practices, information on handling situations, and
advice on software for federal call centers. In another example, the
Social Security Administration and the Department of Veterans Affairs
provided SB/SE with data on the location of beneficiaries who would
likely be affected by the economic stimulus legislation, which assisted
IRS with planning.
Source: GAO analysis of IRS data.
[A] We recommended that IRS measure the efficacy of some of its
outreach efforts. In response to our recommendation, IRS has hired a
contractor to conduct surveys and focus groups to assess the ability of
IRS partners, such as the AARP, to reach their target populations,
e.g., the elderly and limited English proficiency and rural
populations, and measure the effectiveness and quality of that
outreach. See GAO, Tax Administration: 2007 Filing Season Continues
Trend of Improvement, but Opportunities to Reduce Costs and Increase
Tax Compliance Should be Evaluated, GAO-08-38 (Washington, D.C.: Nov.
15, 2007) and GAO, Tax Administration: IRS's 2008 Filing Season
Generally Successful Despite Challenges, although IRS Could Expand
Enforcement during Returns Processing, GAO-09-146 (Washington, D.C.:
Dec. 12, 2008).
[End of table]
IRS Does Not Include External Stakeholders in Tests and Exercises:
Federal Continuity Directive 1 requires that agencies perform annual
tests of the internal and external interdependencies identified in
their continuity plan, with respect to performing mission-essential
functions.[Footnote 35] Agencies are also required to have an
opportunity to demonstrate inter-and intra-agency communication
capabilities and to test equipment used in internal and external
communication. However, the Federal Continuity Directive does not
specify whether representatives of external entities need to be present
at the tests and exercises, or whether they can simply be represented
by agency personnel. IRS is currently implementing the requirements
from the Federal Continuity Directive.
Networks:
* Clearly identifying critical suppliers, assessing their reliability,
and considering the availability of alternate arrangements in
emergencies.
IRS guidelines require business units to include internal stakeholder
groups in tests and exercises but do not have parallel requirements for
external stakeholder groups. Internal groups include Modernization and
Information Technology Services and Agency Wide Shared Services that
move resources throughout IRS and provide services necessary for
employees to do their jobs. Internal interdependencies are tested
through integrated tabletop exercises, which IRS requires for large
geographic regions as part of its annual test and exercise strategy.
However, IRS currently has no requirement for including external
stakeholders in tests and exercises. As a result, tests and exercises
involving these entities have been inconsistent across IRS. The few IRS
exercises involving external entities tend to be centered on a large
city or on IRS campuses.
In the exercises in which external partners participated, IRS benefited
by identifying important lessons to integrate into its plans. In one
case, IRS held an integrated tabletop exercise with FEMA and the
Central U.S. Earthquake Consortium--an educational organization that
coordinates multistate efforts in emergency planning for an earthquake
in the central United States--where IRS managers and Business
Resumption Plan coordinators reacted to a detailed earthquake scenario.
FEMA was able to provide IRS with a specific impact analysis on its
facilities, which showed that the affected area would be much larger
than IRS had anticipated. As a result of the exercise, IRS recognized
that an alternative computing site would be unusable after an
earthquake, and now plans to relocate the site. In some cities, IRS
also participates in exercises hosted by the local Federal Executive
Boards that bring together federal agencies located in the same city.
By participating in an Atlanta Federal Executive Board exercise, IRS
was able to establish important contacts with local government
officials.
However, even in campus locations, some exercises occur without
participation from external entities. For example, IRS's Atlanta campus
has its own on-site post office, and is co-located with the Centers for
Disease Control and Prevention, but neither the post office nor the
Centers for Disease Control and Prevention participates in IRS
exercises. In a recent exercise, participants from IRS have discussed
the possible response of the post office, but postal representatives
were not included in the tabletop exercises.
By not having regular external participation in tests and exercises,
IRS missed several opportunities for strengthening ties that could play
a critical role during a disruption. For example, an SB/SE office in
New Jersey that faced a possible anthrax contamination learned that the
local authorities on whom IRS relies in such situations were ill
prepared and even unaware of how to put on protective suits. Rather
than learning these deficiencies during a no-risk situation, such as an
exercise, IRS identified the local authorities' lack of preparedness
during a situation that could have proved harmful.
The need to include stakeholders is particularly relevant for providers
of electronic tax software and Electronic Return Originators. As we
recently reported, electronic tax software and the associated
electronic return originators, which electronically submit returns to
IRS, are key to the tax administration system.[Footnote 36] In 2007, 39
million tax returns were prepared using commercial software and the
majority of electronically submitted returns went through electronic
return originators. Even though these organizations are a critical
component of the tax administration system, they are not formally
included as part of IRS's test and exercise strategy. We recently
recommended that IRS develop and plan for effectively monitoring
compliance with recommended security and privacy standards for the 2010
filing season. We should note, however, that with one recent exception
which did not have a significant effect, tax software companies have
been generally reliable providers of electronic filing services.
Conclusions:
In the face of tax law changes and natural disasters, IRS has exhibited
a considerable degree of resilience. After these experiences, it has
also demonstrated it is able to incorporate lessons from these past
disruptions into its planning and policies. IRS's strategic
flexibilities and tools to distribute leadership capabilities through
the workforce and hold individuals accountable are additional ways that
IRS builds its capacity for resilience.
While IRS has been generally successful in the face of past
disruptions, its current test and exercise strategy does not include
simulations of real events through functional or full-scale exercises,
which limits the ability of IRS staff to gain experience in responding
to more realistic circumstances. Realistic and stressful circumstances
are important to include in tests and exercises, because they build in
employees the capacity to respond to the stress of actual events. At
the same time, functional and full-scale exercises require greater
financial and staff investment than do tabletop exercises. Accordingly,
these types of tests and exercises could be done on a limited basis and
the results evaluated to assess the costs and benefits before
conducting them more widely. At the same time, stressful circumstances
can still be included in routine drills, which affect a wider range of
employees than specific planning exercises, with a lower cost and less
time commitment.
Furthermore, the innovation required in the face of some disruptions
includes knowing how to draw on the agency's own resources and the
resources of others. This capacity cannot be achieved with simple
planning exercises alone or in isolation, but requires individuals to
have the opportunity to practice responding to stressful circumstances
with key stakeholders.
Recommendations:
To improve the resilience of IRS operations, we recommend that the
Commissioner of the Internal Revenue Service direct the appropriate
officials to take the following three actions:
1. Establish a plan to conduct a limited number of functional or full-
scale exercises to include IRS leadership and emergency personnel.
These tests and exercises should be followed by an evaluation of their
costs and benefits. Based on the evaluations, IRS emergency plans
should be revised to reflect the degree to which the tests should be
replicated more broadly.
2. Establish plans for the inclusion of some degree of stressful
circumstances in the routine evacuation and shelter-in-place drills in
which all IRS employees participate.
3. Modify test and exercise standards to include involvement of
external stakeholders.
Agency Comments and Our Evaluation:
We provided a draft of this report to officials at IRS for their review
and comment. IRS's comments are reproduced in appendix III. In its
comments, IRS agreed with all three of our recommendations.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies to the
Commissioner of the IRS. The report also is available at no charge on
the GAO Web site at [hyperlink, http://www.gao.gov].
If you or your staff have any questions concerning this report, please
contact me at (202) 512-6543 or steinhardtb@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Major contributors to this report are
listed in appendix IV.
Signed by:
Bernice Steinhardt:
Director, Strategic Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of this report were to:
* define organizational resilience and its dimensions,
* determine the degree to which selected IRS field operations exhibit
the attributes of organizational resilience, and:
* identify challenges and opportunities to improve organizational
resilience at IRS.
To define organizational resilience and the attributes of resilience we
reviewed academic literature from the fields of psychology, ecology,
organizational and management science, high-reliability organizations,
continuity, and disaster management, as well as relevant GAO and
Treasury Inspector General for Tax Administration (TIGTA) reports. In
addition, we interviewed 11 academic and practitioner experts--in
emergency preparedness and disaster management, management and
organizational psychology, critical infrastructure, and strategic
planning--regarding organizational resilience. These experts were
chosen based on their publications, contributions to their field, and
the frequency with which other experts cited their work. Through an
iterative process with the experts, we developed a list of 21
attributes related to organizational resilience. These attributes were
then arranged into five broad categories: emergency planning,
organizational flexibility, leadership, committed workforce, and
networks.
To identify the ways that the Internal Revenue Service (IRS) exhibits
the attributes of organizational resilience and the opportunities that
IRS has to take on additional practices which would make it more
resilient we selected relevant parts of IRS, completed a document
review, observed organizational meetings, and held interviews with IRS
officials. The four business units of IRS were selected for review:
Wage and Investment (W&I), Small Business/Self-Employed, Large and Mid-
Size Businesses, and Tax Exempt/Government Entities. We selected these
divisions because their work fulfills the statutory authority of IRS.
Additionally, we examined the specific units and offices within IRS
headquarters and functional units which support the work of the
business units including the Human Capital Office, Agency-Wide Shared
Services (AWSS), and Modernization Information and Technology Services
(MITS) office.
To learn about IRS practices which relate to organizational resilience,
we reviewed GAO and TIGTA reports, IRS documents, and interviewed IRS
representatives. For each of the four business units and IRS
headquarters, the Commissioner or designated representatives as well as
representatives from the offices of human capital and emergency
planning were interviewed. For the functional unit AWSS,
representatives from the offices of emergency planning, facilities
management, and the Senior Commissioner Representatives were
interviewed. For the functional unit MITS, representatives of relevant
offices to organizational resilience, including End-User Services and
Cyber Security, were interviewed. Representatives from the cross-IRS
working groups of Workforce of Tomorrow, Emergency Management and
Preparedness Working Group, and Security Services and Privacy Executive
Steering Committee also were interviewed. Additionally, we interviewed
the president of the National Treasury Employees Union.
To gain perspectives on the views and working relationships of IRS
employees, we reviewed survey data and observed selected meetings and
offices. We reviewed IRS Employee Survey results for 2007 and 2008; IRS
provided the raw data for these surveys to GAO. We determined that
available data were sufficiently reliable for the purposes of this
report. However, we should note that the response rate to the survey
was about 60 percent, a rate which typically raises concerns about
possible bias due to nonresponse. To address this concern, we reviewed
IRS's response bias analysis that had determined no adjustments were
required to correct for nonrespondents. In addition, based on the
average positive response rate of about 65 percent, we set a threshold
for reportable positive responses of more than 80 percent and a
threshold for negative responses of less than 50 percent, and selected
only responses from those that exceeded these thresholds. Additionally
IRS provided documentation and analysis related to the IRS Employee
Engagement Index, which is based on the IRS Employee Survey data.
Furthermore, we observed IRS employees at the Emergency Management and
Planning Working Group monthly meetings; the AWSS-sponsored Federal
Continuity Directives 1 and 2 seminar for emergency planning
representatives from all IRS business, headquarters, and functional
units; and the W&I call center routing center, submissions processing,
and accounts management facilities.
We conducted this performance audit from January 2008 to April 2009, in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
We assessed the reliability of data used in this report by (1)
performing electronic testing of required data elements, (2) reviewing
existing information about the data and the system that produced them,
and (3) interviewing agency officials knowledgeable about the data. We
determined that the data were sufficiently reliable for the purpose of
this report.
[End of section]
Appendix II: Expanded Discussion of Organizational Resilience
Attributes:
Organizational resilience is the quality that would enable an
organization to restore itself or thrive following a disruption, by
which we mean a sudden and externally imposed circumstance that has the
potential to substantially compromise an organization's ability to
accomplish its mission. A highly resilient organization is identified
by the speed and agility it demonstrates in achieving a return to its
normal state (or new normal state) and its resulting enhanced ability
to respond to future disruptions.
To make our definition of organizational resilience more practical and
observable, we identified 21 attributes that can be placed in five
related categories. We found that organizational attributes related to
emergency planning, organizational flexibility, leadership, workforce
commitment, and networked organizations are particularly associated
with resilience and provide a useful assessment framework. These
characteristics can help an organization be resilient after a
disruption, but under certain circumstances, even a relatively
resilient organization might not be able to recover. (See figure 3.)
Figure 3: Framework of Organizational Resilience:
[Refer to PDF for image: illustration]
Interlocking concepts form a circle around the term Organizational
Resilience. Those concepts are:
Emergency planning;
Organizational flexibility;
Leadership;
Workforce commitment;
Networked organizations.
Source: GAO.
[End of figure]
Emergency Planning:
Emergency planning identifies disruption that could potentially affect
an organization and defines and tests strategies to face disruptions.
Attributes Associated with Emergency Planning:
* Test and exercise requirements that challenge employees to respond to
unexpected and stressful circumstances that require adjustments to
established plans and procedures;
* Incorporation of lessons learned from tests, exercises, and past
disruptions into its emergency plans;
* Management decisions based on risk assessments;
* Employees at all levels and in various units and locations of the
organization who are involved in emergency planning efforts.
Test and Exercise Requirements that Challenge Employees to Respond to
Unexpected and Stressful Circumstances that Require Adjustments to
Established Plans and Procedures:
An organization that performs regular tests and exercises of their
emergency plans will likely better know how to handle a real
disruption. According to Federal Emergency Management Administration
(FEMA) training materials, an exercise is a practice that "places the
participants in a simulated situation requiring them to function in the
capacity that would be expected of them in a real event. Its purpose is
to promote preparedness by testing policies and plans and training
personnel." An exercise program should include long-range goals,
schedules, and roles and responsibilities for executing the tests and
exercises. Tests and exercises should be challenging and include a
variety of scenarios. As one of our experts suggested, organizations
should occasionally withhold an expected resource, which forces
participants to improvise and use creativity.
Incorporation of Lessons Learned from Tests, Exercises, and Past
Disruptions into Its Emergency Plans:
Aside from learning how to react to a scenario, tests and exercises are
an opportunity to expose flaws in plans. After a test or exercise,
participants should be debriefed and participate in a discussion about
lessons from the scenario. Resulting lessons should be incorporated
into revisions to plans, guidance, training or other related documents.
Not implementing such changes leaves organizations vulnerable to
recommitting mistakes. To demonstrate this attribute, an organization
should have after-action reports from tests and exercises, and
documentation of implementing changes that result from the reports.
[Footnote 37]
Management Decisions Based on Risk Assessments:
An organization that is aware of its surroundings and takes its risks
and vulnerabilities into account during decision making could diminish
effects of a disruption. A couple of our experts emphasized the
importance of having realistic views of hazards and vulnerabilities,
with one of them emphasizing the need for identifying consequences and
possible solutions. Prior GAO work has defined risk management as a
strategic process for helping decision makers make decisions about
assessing risk, allocating finite resources, and taking actions under
conditions of uncertainty.[Footnote 38] The risk management process
includes setting strategic goals, objectives, and constraints;
performing threat, vulnerability, and criticality assessments;
evaluating alternatives; selecting an alternative; and implementing and
monitoring decisions.
Employees at All Levels and in Various Units and Locations of the
Organization Who Are Involved in Emergency Planning Efforts:
Aside from the content and implementation of plans, it is important for
an organization to have an open and participative process for creating
emergency plans. This includes acknowledging and, as appropriate,
including employee feedback in the planning process. Giving employees a
relationship with a plan helps ensure that they are familiar with it,
according to one of our experts. Evidence for this attribute could be
found in rosters of participants in emergency planning sessions or
membership lists of any planning committees, or documentation of any
employee-initiated changes.
Organizational Flexibility:
A flexible organization that is receptive to change has a workforce
that can respond to a range of disruptions flexibly and with agility.
Attributes Associated with Organizational Flexibility:
* Employees with sufficient breadth of expertise to contribute to
resumption efforts in a variety of ways;
* Redundant or alternate paths to achieve results;
* Financial, physical, information technology, and human resources
managed with an adequate margin to respond to unexpected events;
* A culture that encourages:
- Employee creativity and innovation;
- Acceptance of change and uncertainty as a learning opportunity.
Employees with Sufficient Breadth of Expertise to Contribute to
Resumption Efforts in a Variety of Ways:
When employees have a wide breadth of expertise and the ability to work
in different positions and areas of the organization, the organization
has a broader array of human resources to draw on and compensate for
any losses after a disruption. Employees with experience in different
locations, levels, units, or occupations within an organization likely
have the type of broad knowledge necessary to act quickly and fill in
when an organization is lacking in resources. Breadth of expertise can
be obtained through cross-training, serving on details or rotations
among different organizational units, or by having different roles
through natural career progression.
Redundant or Alternate Paths to Achieve Results:
An organization with physical and human resources that are
geographically dispersed is more likely to be resilient because of an
ability to relocate operations should a facility need to close. An
increased number of pathways for operating decreases the effect of a
disruption at any one site. Redundancies can be physical or equipment-
based, such as having a field office structure, designating alternative
sites, or having storage areas for backup files or equipment that are
not co-located with office sites. Redundancies can also exist in human
resources, meaning that more than one employee is capable of performing
a specific job should some employees be unable to work. This attribute
can be demonstrated through the existence of multiple work sites and
plans that identify alternative sites and backup personnel.
Financial, Physical, Information Technology, and Human Resources
Managed with an Adequate Margin to Respond to Unexpected events:
An organization's breadth of expertise and distributed capacity will
likely be effective only if adequate assets are in reserve to support
reallocating employees and resources. Specifically, an organization
needs the ability to free employees, budget, and physical and
technology resources during a disruption, sometimes referred to as
margin. Organizations with overstretched resources and excessive
workloads will likely find it difficult to shift employees, finances,
or office space into alternate configurations. This attribute can be
seen in looking at the organization's workload inventory,
identification of any chronic staff shortages, or assessments of how an
organization works under budgetary constraints.
A Culture that Encourages Employee Creativity and Innovation:
Employees who have demonstrated an ability to think independently and
use creative problem-solving skills will likely be more resourceful and
able to improvise after a disruption. Organizations can encourage and
facilitate the development of these skills by giving employees
opportunities to propose solutions to workplace challenges, and to
involve employees in identifying improvements. An organization that
supports these skills may also offer related training, or it may have
job descriptions or competencies for employees that set performance
expectations for their ability to think creatively and apply new ideas.
Similarly, the organization may recognize employees who introduce new
processes and ideas with awards that are visible within the
organization.
A Culture that Encourages Acceptance of Change and Uncertainty as a
Learning Opportunity:
An organization that resists rigidity and accepts that improvements can
accompany change will likely be better able to address vulnerabilities,
respond with agility during a disruption, and thrive afterwards. This
includes having a tolerance for ambiguity and a willingness to keep
multiple options open when faced with decisions. Rigidity or an over-
reliance on bureaucratic structures can increase vulnerability to
disruption and can paralyze an organization during a disruption.
Furthermore, after change occurs, the organization should be able to
grow its competence based on increased knowledge and experience.
Observing ways the organization has dealt with change or assessing the
levels of employee or outside involvement in decision making can serve
as anecdotal evidence for this attribute. Additional evidence might
include training on change management to employees, or job descriptions
or competencies for employees that set performance expectations for
ability to accept change.
Leadership:
Leaders who demonstrate respect for their employees and are accountable
for results are more likely to garner the employee commitment that will
be needed after a disruption. Additionally, when leadership abilities
are distributed broadly through the workforce, an organization is more
likely to be resilient.
Attributes Associated with Leadership:
* Treating employees with respect and acknowledging the needs of
employees;
* Preparing employees to exercise leadership when necessary, which
includes making appropriate decisions and, in some cases, commitments
on the part of the organization;
* Delegating responsibility based on knowledge of employee skills and
past work experiences;
* Building an empowered and effective workforce by supporting employee
achievement and professional development;
* Holding leaders accountable for results; having tools that hold staff
accountable for results.
Treating Employees with Respect and Acknowledging the Needs of
Employees:
Leaders who understand and accommodate the needs of their employees and
acknowledge a necessary work/life balance, particularly after a
disruption, can increase resilience, as it is important to help resolve
employees' personal problems because of the problems' potential to
affect the workplace. As one of our experts stated, leaders should
acknowledge the emotion and uncertainties that surround an event, be
realistic about its effects, and have strong communication with
employees. Respect could be seen in availability of support or
counseling services for employees after a disruption, or through work/
life balance provisions such as telework.
Preparing Employees to Exercise Leadership When Necessary, which
Includes Making Appropriate Decisions and, in Some Cases, Commitments
on the Part of the Organization:
As one of our experts said, leaders need to be empowered in a crisis to
take initiative and make logical decisions without fear of punishment.
This autonomy can come from a management style that encourages
independent action. An organization should have provisions that enable
individuals to exercise judgment, discretion, and to make and recover
from mistakes, according to one expert.
Delegating Responsibility Based on Knowledge of Employee Skills and
Past Work Experiences:
Rather than strictly relying on hierarchy, leaders of a resilient
organization should delegate to enhance employee development and to
maximize the achievement of organizational goals. This requires an
awareness of employee strengths and skills. One of our experts
emphasized the need to devolve authority to the employees equipped to
deal with a specific situation and who know the work. Leaders must then
support employee decisions by granting autonomy and providing the
necessary coordination and resources. This attribute could be seen in
managers' use of horizontal teams and task forces for decision making,
and managers having a knowledge and skills database to catalog special
employee skills.
Building an Empowered and Effective Workforce by Supporting Employee
Achievement and Professional Development:
An organization that supports continuing education, professional
development, and expanded leadership opportunities will be more likely
to be resilient. As one of our experts said, leaders can help employees
learn to have confidence in their ability to perform a task or achieve
an outcome. Competence is based on training, experience, and
development of specialized knowledge, and as competence grows so does
one's ability to respond and recover from unfamiliar or challenging
situations. Opportunities for employees to further their professional
knowledge and experiences lead to increased confidence and competence.
Holding Leaders Accountable for Results; Having Tools that Hold Staff
Accountable for Results:
Organizations with mechanisms to hold individual leaders accountable
for unit and organizational performance will likely have a pre-existing
focus on responsibilities for organizational accomplishments that will
aid in resilience. Accountability is especially important during
catastrophic disasters, as it helps to ensure that resources are used
appropriately.[Footnote 39] Prior GAO work has shown that performance
management systems can help reinforce individual accountability for
organizational results. This includes creating pay, incentive, and
reward systems that link employee knowledge, skills, and contributions
to organizational results. In addition, requiring and tracking follow-
up actions on performance gaps and requiring follow-up actions to
address organizational priorities can increase accountability.[Footnote
40]
Workforce Commitment:
A workforce that is committed to the organization provides individual
motivation to make significant personal investments and provide the
organizational knowledge that may be necessary for organizational
success following a disruption.
Attributes Associated with Workforce Commitment:
* Employees who understand and are committed to the organization's
mission and values and their roles within the organization;
* Employees with the skills necessary to meet the organization's
mission and address any problems that may arise;
* Employees who understand the broader implications of their work and
the downsides of possible failure, who demonstrate appropriate actions
when faced with potential disruptions.
Employees Who Understand and Are Committed to the Organization's
Mission and Values and Their Roles within the Organization:
An explicit alignment of daily activities with broader results helps
individuals see the connection between their daily activities and
organizational goals and encourages individuals to focus on their roles
and responsibilities to help achieve those goals.[Footnote 41] This
helps with employee accountability, but can also provide employees with
a sense of purpose, both of which are an advantage for resilience. If
an organization faces a disruption and employees know their roles in
achieving the organization's mission and goals, they will have
organizational principles to guide their actions. Leaders can dispense
and reinforce this knowledge through including specific goals in
individual employee performance plans and job elements, and updating
employees on progress on organizational goals.
Not only should employees know their roles in the organizational
mission, but if they are committed to that mission there is an
increased likelihood that employees will extend themselves and give the
organization momentum during a disruption. According to one of our
experts, the commitment should be to the organization's mission, not
the organization itself. Thus employees' self interest should overlap
with the interests of the organization. This attribute can be observed
through employee feedback and employee involvement in organization-wide
initiatives.
Employees with the Skills Necessary to Meet the Organization's Mission
and Address Any Problems that May Arise:
An organization that has few critical skill gaps will likely be better
able to meet the daily needs of the organization and those that could
arise during a disruption. Similar to having a workforce with a breadth
of expertise, an organization's employees should have some universal
skill sets beyond those needed for their current duties. In the words
of one of the experts we spoke with, the more skills that an employee
has, the more problems they are able to see, thus enabling them to
interact and intervene earlier during a disruption; if someone is
lacking in skills they will likely overlook potential problems.
Additionally, employees should be able to act under ambiguous and
unstructured circumstances. Organizations can demonstrate this
attribute by performing regular skill gap analyses and taking steps to
fill any deficiencies, by providing for continuous education and career
development, particularly through cross-functional assignments or
training.
Employees Who Understand the Broader Implications of Their Work and the
Downsides of Possible Failure, Who Demonstrate Appropriate Actions When
Faced with Potential Disruptions:
An organization that has an alert workforce and a culture in which
employees can call attention to errors will be better off during and
after a disruption. According to one author, employees in a resilient
organization need to seek and examine potentially disturbing
information. This includes doing scans of the environment and
understanding the risks and priorities of the organization; or, in the
words of another expert, having a "broad horizon." The information
gathered through situational awareness and other sources helps inform
the risk management process. An organization can demonstrate this
attribute by providing ways for employees to report problems, and
rewarding employees who identify and suggest ways to address potential
problems.
Networked Organizations:
Solid internal and external networks can facilitate and strengthen
other resilience attributes. For example, having dependable connections
will likely expand and expedite an organization's access to resources
when faced with a disruption. Specifically, being aware of
interdependencies, knowing when reinforcement is needed, and being able
to communicate among interdependent units can give an organization an
extended reach for information, resources, and advice. Furthermore, an
organization's knowledge of its supply chain interdependencies can help
identify vulnerabilities, which can inform risk assessments and
emergency planning.
Attributes Associated with Networked Organizations:
* A plan and means to communicate with target audience;
* Formal and informal intra-organizational networks;
* Clearly identifying critical suppliers, assessing their reliability,
and considering the availability of alternate arrangements in
emergencies;
* Reliable partnerships with community and peer organizations;
employees who are connected to other organizations through professional
associations and networks.
A Plan and Means to Communicate with Target Audience:
Having a plan to communicate with employees, clients, and other
stakeholders in the event of a disruption will likely help an
organization to acquire and share information during a disruption, and
correct any misinformation. Communication with employees about the
status of the organization (i.e., building closures and leave policies)
and any revised expectations for performance can reduce uncertainty and
help employees adjust to change. Communication with clients about any
changes in service can help to manage reputations after a disruption.
Communication should occur through multiple formats, and should occur
through a designated official source. An organization can demonstrate
this attribute by having information hotlines or Web sites ready to
disseminate information, or by having a media relations public affairs
office. Having connections with partners or peer organizations could
also prove helpful in delivering a message.
Formal and Informal Intra-organizational Networks:
Collaboration and connections among employees can increase an
organization's resilience by decentralizing information and decision
making, thereby strengthening knowledge, commitment, and problem-
solving abilities. Networks throughout the organization can also help
build other resilience attributes. For example, employees' ability to
connect with one other to access resources from other units or
locations can increase the organization's distributed capacity and make
better use of the organization's breadth of expertise. A collaborative
and connected workforce is also more likely to be aligned and committed
to the organization, according to a couple of our experts. This
attribute can be observed through the presence of cross-functional
working groups, classes, or information-sharing sessions.
Clearly Identifying Critical Suppliers, Assessing Their Reliability,
and Considering the Availability of Alternate Arrangements in
Emergencies:
Resilient organizations need a sense of where to go if there is a
disruption and no ordinary means to obtain resources, according to one
expert. Both internal and external interdependencies should be assessed
as part of the risk management process, and should be checked through
tests and exercises. An organization can demonstrate this attribute by
having contracts with backup suppliers, putting in supplier contracts
expectations during a disruption, and involving internal and external
entities in tests and exercises.
Reliable Partnerships with Community and Peer Organizations; Employees
Who Are Connected to Other Organizations Through Professional
Associations and Networks:
An organization that has a network of partners and alliances with other
organizations will likely have access to additional advice, help, and
resources during a disruption. Partners could include peer
organizations, professional organizations, government entities, or co-
located organizations. In addition to providing resources to increase
an organization's margin, partners can provide employees with
opportunities to build breadth of expertise through professional
contacts and programs, they can provide feedback from customers, and
they can give a broader perspective on emergency preparedness. This
attribute can be seen in employee participation in professional
organizations, employee participation in conferences or external
training, or formalized agreements for resource sharing with other
organizations.
Overall Comments about the Attributes:
All of these attributes contribute to potential organizational
resilience but do not ensure it, because all disruptions are individual
situations and even a resilient organization may not be able to restore
operations after a disruption. Furthermore, during a disruption, some
attributes may prove to be more important than others. For example, we
found after the 2006 flood of IRS headquarters that IRS did not
activate the headquarters continuity of operations plan because of the
specific conditions of the flood. Specifically, alternate work space
was available for all headquarters employees within a relatively short
period, reducing the importance of identifying critical personnel, a
required step of continuity of operations planning. Additionally, with
many attributes, there is the potential for condition where the excess
of a positive attribute becomes negative. For example, too much
experience with change could make employees suffer from innovation
fatigue and become less open and receptive to change.
[End of section]
Appendix III: Comments from the Internal Revenue Service:
Department Of The Treasury:
Deputy Commissioner:
Internal Revenue Service:
Washington, D.C. 20224:
March 27, 2009:
Ms. Bernice Steinhardt:
Director, Strategic Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Ms. Steinhardt:
Thank you for the opportunity to respond to your draft report entitled
"IRS Practices Contribute to its Resilience, but It Would Benefit from
Additional Emergency Planning Efforts" (GAO-09-418).
We are pleased the Government Accountability Office (GAO) determined
that the Internal Revenue Service is a resilient organization, based on
your assessment of our emergency planning, organizational flexibility,
leadership, workforce commitment, and networked organizations. The
nature of our business relies on our ability to be resilient and to
react quickly to initiatives such as the 2008 economic stimulus bill,
which we successfully managed during peak filing season, and to utilize
lessons learned from unanticipated external events such as Hurricanes
Katrina and Rita, and the main building flood.
Your suggestions will improve our emergency planning test and exercise
program and we will incorporate them accordingly. We take emergency
preparedness seriously and are committed to continuous Business
Continuity Program improvement. Vigorous advancements to our program
include:
* Development of standard templates to ensure consistent and complete
continuity plans;
* Development of criteria for multi-year testing, training and exercise
strategies in accordance with federal continuity directives;
* Provision of program assistance to business units by way of the
Emergency Management and Preparedness Working Group;
* Increased oversight of compliance with program requirements by the
Emergency Management and Preparedness Executive Steering Committee, and
dedicated executive leadership vested in a single individual
accountable for program execution;
* Deployment of a web-based centralized online repository of all
critical enterprise documentation to enable a cohesive and coordinated
approach to all aspects and execution of the Business Continuity
program;
* Establishment of Critical Business Processes providing the foundation
to develop business-focused enterprise resiliency and continuity plans;
* Completion of Enterprise Business Impact Assessments to evaluate the
impact of loss of all processes, systems, locations, etc.; and;
* Continued testing, evaluation, and annual update of disaster recovery
plans to ensure that the timely restoration of disrupted business
processes will occur within established recovery priority and timeframe
objectives.
We also appreciate your acknowledgement of our many human capital
initiatives, which serve as significant attributes of effective
organizational resilience. We are proud of our progress with our
Readiness Programs, Employee Survey and the associated Employee
Engagement Index and ESTracker, and our Manager Coaching Program. In
particular, our Workforce of Tomorrow Initiative has made progress in
promoting IRS as an employer of choice and excellent work place. We are
committed to building a proficient workforce and able leadership that
are ready to engage future challenges.
The enclosed response addresses each of your recommendations in more
detail. If you have any questions, please contact me, or a member of
your staff may contact David A. Grant, Acting Chief, Agency-Wide Shared
Services, at (202) 622-7500.
Sincerely,
Signed by:
Mark A. Ernst:
Deputy Commissioner, Operations Support:
Enclosure:
[End of section]
Enclosure:
Recommendation #1:
Establish a plan to conduct a limited number of functional or full-
scale exercises to include IRS leadership and emergency personnel.
These tests and exercises should be followed by an evaluation of their
costs and benefits. Based on the evaluations, IRS emergency plans
should be revised to reflect the degree to which the tests should be
replicated more broadly.
Comment:
We agree with the recommendation and will develop an exercise plan
accordingly. Our multi-year test, train and exercise strategies are
currently under development and will be enhanced to include functional
or full-scale exercises based upon a review and evaluation of costs and
benefits.
Recommendation #2:
Establish plans for the inclusion of some degree of stressful
circumstances in the routine evacuation and shelter in place drills in
which all IRS employees participate.
Comment:
We agree with this recommendation and will include more challenging
situations in our Occupant Emergency Plans and Shelter-In-Place
testing, as well as in our multi-year test, train and exercise strategy
that is under development.
Recommendation #3:
Modify test and exercise standards to include involvement of external
stakeholders.
Comment:
We agree with this recommendation and will modify the FY 2009 Exercise
Strategy to involve external stakeholders in integrated exercises,
based on the exercise scenario. We will also include external
stakeholders in the multi-year test, train and exercise strategy that
is under development.
[End of enclosure]
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgements:
GAO Contact:
Bernice Steinhardt, (202) 512-6543 or steinhardtb@gao.gov:
Staff Acknowledgments:
In addition to the contacts listed above, William J. Doherty (Assistant
Director) and Mallory Barg Bulman (Analyst-in-Charge) supervised the
development of this report.
Lindsay Welter, Colleen A. Moffatt, and Daniel Berring made significant
contributions to all aspects of the report. James R. White and Neil A.
Pinney provided expertise on tax administration. Martin De Alteriis,
Beverly Ross, and Karen O'Connor assisted with design, methodology, and
data analysis. Sabrina Streagle provided legal counsel. Melanie H.
Papasian provided editing assistance. William Trancucci verified the
information in the report. In addition, Robert Love, John F. Mortin,
and James R. Sweetman made key contributions to this report.
[End of section]
Footnotes:
[1] Treasury Inspector General for Tax Administration, Weaknesses in
Business Resumption Plans Could Delay Recovery From a Disaster, 2008-
20-178 (Washington, D.C., Sept. 2008); Treasury Inspector General for
Tax Administration, Emergency Preparedness at Internal Revenue Service
Facilities Needs to Be Improved, 2008-10-148 (Washington, D.C., Sept.
2008); Treasury Inspector General for Tax Administration, Disaster
Recovery Issues Have Not Been Effectively Resolved, but Progress Is
Being Made, 2008-20-061 (Washington, D.C., Feb. 2008).
[2] See Pub. L. No.105-206, 112 Stat. 685.
[3] Most of the current federal work on resilience is focused on
critical infrastructure. This report focuses more narrowly on
organizational resilience, specifically among federal agencies.
[4] In many cases, the terms "resilience" and "resiliency" are used
interchangeably. For the purposes of this report, we use the term
"resilience."
[5] Department of Homeland Security, National Infrastructure Protection
Plan (Washington, D.C., 2006).
[6] House Committee on Homeland Security, The Resilient Homeland:
Broadening the Homeland Security Strategy, 110th Cong., 2nd sess., May
6, 2008; House Committee on Homeland Security, Subcommittee on Border,
Maritime and Global Counterterrorism, Assessing the Resilience of the
Nation's Supply Chain, 110th Cong., 2nd sess., May 7, 2008; House
Committee on Homeland Security, Subcommittee on Emergency
Communications, Preparedness and Response, Advancing Public Alert and
Warning Systems to Build a More Resilient Nation, 110th Cong., 2nd
sess., May 14, 2008; House Committee on Homeland Security, Subcommittee
on Transportation Security and Infrastructure Protection, Partnering
with the Private Sector to Secure Critical Infrastructure: Has the
Department of Homeland Security Abandoned the Resilience-Based
Approach?, 110th Cong., 2nd sess., May 14, 2008; House Committee on
Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and
Science and Technology, Implications of Cyber Vulnerabilities on the
Resilience and Security of the Electronic Grid, 110th Cong., 2nd sess.,
May 21, 2008.
[7] The Federal Continuity Directive 1 provides direction for the
development of continuity plans and programs in the federal executive
branch; it is the implementation guidance for the National Continuity
Policy. See Department of Homeland Security, Federal Continuity
Directive 1 (Washington, D.C., February 2008).
[8] This summary includes selected examples from past disruptions. For
a more detailed discussion of each attribute, please see appendix II.
[9] For more information, see GAO, Hurricane Katrina: GAO's Preliminary
Observations Regarding Preparedness, Response, and Recovery,
[hyperlink, http://www.gao.gov/products/GAO-06-442T] (Washington, D.C.:
March 8, 2006).
[10] For more information see, The 9-11 Commission, The 9-11 Commission
Report: Final Report of the National Commission on Terrorist Attacks
Upon the United States, Official Government Edition, (Washington, D.C.,
2007).
[11] For more information, see GAO, Year 2000 Computing Challenge:
Lessons Learned Can Be Applied to Other Management Challenges,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-290] (Washington,
D.C.: September 12, 2000).
[12] For more information, see U.S. Senate Committee on Homeland
Security and Governmental Affairs, Hurricane Katrina: A Nation Still
Unprepared, S. Rpt. 109-322 (Washington, D.C., 2006).
[13] For more information see GAO, Progress Has Been Made to Address
the Vulnerabilities Exposed by 9/11, but Continued Federal Action Is
Needed to Further Mitigate Security Risks, [hyperlink,
http://www.gao.gov/products/GAO-07-375] (Washington, D.C. January 24,
2007).
[14] Select Bipartisan Committee to Investigate the Preparation for and
Response to Hurricane Katrina, H. Rpt. 109-377, A Failure of
Initiative: Final Report of the Select Bipartisan Committee to
Investigate the Preparation for and Response to Hurricane Katrina
(Washington, D.C., 2006).
[15] H. Rpt. 109-377.
[16] For more information, see Federal Reserve, the New York State
Banking Department, the Office of the Comptroller of the Currency, and
the Securities and Exchange Commission, Summary of "Lessons Learned"
from Events of September 11 and Implications for Business Continuity
(Feb. 2002).
[17] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-290].
[18] IRS has an agreement with FEMA that FEMA may use the IRS call
centers to assist with disaster response.
[19] For more information, see GAO, Tax Administration: IRS Improved
Some Filing Season Services, but Long-Term Goals Would Help to Manage
Strategic Trade-Offs, [hyperlink,
http://www.gao.gov/products/GAO-06-51] (Washington, D.C.: Nov. 14,
2005).
[20] For more information, see GAO, Tax Administration: IRS's 2008
Filing Season Generally Successful Despite Challenges, Although IRS
Could Expand Enforcement During Returns Processing, [hyperlink,
http://www.gao.gov/products/GAO-09-146] (Washington, DC: Dec. 12,
2008). See also Public Law 110-185, 122 stat 613, February 13, 2008.
[21] All numbers are current as of September 12, 2008.
[22] This includes the Occupant Emergency Plan, Incident Management
Plan, Business Resumption Plan, and the Disaster Recovery Plan.
[23] TIGTA, Weaknesses in Business Resumption Plans Could Delay
Recovery from a Disaster, 2008-20-178 (Washington, D.C., Sept. 2008)
[24] The training was held at the end of our review and we were unable
to observe the outcomes of this training.
[25] See FEMA IS-139, Exercise Design, [hyperlink,
http://training.fema.gov/EMIWeb/IS/is139.asp].
[26] Although an additional outcome of tests and exercises is risk
identification, and IRS provided examples to us of risks it identified
through its tests and exercises, we did not assess its risk management
processes.
[27] IRS has completed extensive analyses to ensure that the total
number of campuses corresponds with the campus workload generated by
the number of paper tax returns. This helps ensure that they do not
have extra, unneeded capacity.
[28] Because the IRS has the largest federal call center it has an
agreement with FEMA to use the call centers to assist in FEMA's
disaster response.
[29] For more information see, Human Capital: A Guide for Assessing
Strategic Training and Development Efforts in the Federal Government.
[hyperlink, http://www.gao.gov/products/GAO-04-546G]. (Washington,
D.C.: March 2004).
[30] For more information, see GAO, Results-Oriented Cultures: Creating
a Clear Linkage between Individual Performance and Organizational
Success, [hyperlink, http://www.gao.gov/products/GAO-03-488]
(Washington, D.C.: March 14, 2003).
[31] Focus groups and other inquiries completed by IRS confirm that
employees have a high understanding of the agency's mission and goals
[32] A workgroup includes all the employees assigned to one manager.
[33] This issue was not closed during our review.
[34] Informal social networks, such as relationships among employees
that are not part of the formal IRS working structure, were not
assessed by as part of this review.
[35] According to the Federal Continuity Directive 1, mission essential
functions "enable an organization to provide vital services, exercise
civil authority, maintain the safety of the public, and sustain the
industrial/economic base during disruption of normal operations."
[36] For more information, see GAO, Tax Administration: Many Taxpayers
Rely on Tax Software and IRS Needs to Assess Associated Risks,
[hyperlink, http://www.gao.gov/products/GAO-09-297] (Washington D.C.,
April 2, 2009).
[37] Senate Committee on Homeland Security and Government Affairs, S.
Rpt. 109-322, Hurricane Katrina: A Nation Still Unprepared (Washington,
D.C., 2006).
[38] See GAO, Risk Management: Strengthening the Use of Risk Management
Principles in Homeland Security, [hyperlink,
http://www.gao.gov/products/GAO-08-904T] (Washington, D.C.: June 24,
2008).
[39] See GAO, Catastrophic Disasters: Enhanced Leadership,
Capabilities, and Accountability Controls Will Improve the
Effectiveness of the Nation's Preparedness, Response, and Recovery
System, [hyperlink, http://www.gao.gov/products/GAO-06-618]
(Washington, D.C.: September 6, 2006).
[40] See GAO, Results-Oriented Cultures: Creating a Clear Linkage
between Individual Performance and Organizational Success, [hyperlink,
http://www.gao.gov/products/GAO-03-488] (Washington, D.C.: June 24,
2003).
[41] Ibid.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
