Review of VITA's Organizational Structure and Staffing 

WHY WE DID THIS STUDY

The Appropriation Act directs JLARC to review and evaluate VITA on a continuing basis (Item 32 E. of Chapter 552, 2021 Acts of Assembly, Special Session I). As part of this ongoing oversight, JLARC members approved a motion in October 2020 for JLARC staff to review VITA’s organizational structure and staff. JLARC staff assessed VITA’s organizational structure and staffing related to its IT infrastructure responsibilities and IT oversight responsibilities.

ABOUT 

VITA is the Commonwealth’s consolidated IT agency and is responsible for providing infrastructure services to state agencies (such as laptops, internet and phone, and servers) and oversight of state agency IT functions (such as security, procurements, and project management). VITA was created in 2003 when the General Assembly enacted legislation consolidating the IT infrastructure and related staff of most executive branch agencies.

WHAT WE FOUND

VITA generally has a reasonable organizational structure

The Virginia Information Technologies Agency (VITA) is led by the chief information officer of the commonwealth (CIO) and three executives—a chief operating officer (COO), a chief information security officer (CISO), and a chief administrative officer (CAO)—who oversee 18 directorates. The organizational structure reasonably divides agency responsibilities, and there are no major problems with unclear or overlapping responsibilities. VITA staff generally believe the organizational structure is effective, and it is similar to the structure used by the two other states with multi-supplier IT infrastructure models. VITA staff also report that their directorates generally coordinate effectively, although agency staff need to coordinate better to develop new statewide IT services.

VITA’s organizational structure creates potential conflicts of interest for the oversight of project management

VITA has responsibility for implementing its own projects and supporting customer agency IT projects, but VITA also has oversight of these projects to ensure they are managed appropriately. VITA’s project management oversight responsibilities are carried out by its project management division (PMD), which is organizationally placed several levels under the CIO.

PMD’s placement within a directorate under the COO creates the potential for conflicts of interest regarding VITA’s oversight of its own IT projects as well as customer agency projects. VITA staff who are responsible for implementing VITA’s own projects also report to the COO through a separate directorate. This could put the COO in the difficult position of determining how to prioritize conflicting operational and oversight goals and responsibilities. In addition, customer agency IT projects rely on VITA’s infrastructure services, which the COO oversees. If a customer agency’s IT project encounters problems such as delays or cost overruns, part of PMD’s role is to objectively identify the problems, including whether there are issues related to VITA’s infrastructure, and make recommendations for addressing them.

VITA staff are satisfied with the agency and turnover is low, but managers could be more diverse

Over 80 percent of VITA staff reported that they are satisfied with their job and with VITA as an employer. VITA also has relatively low turnover among its staff compared with other state agencies. VITA’s FY20 turnover rate was 7.5 percent, compared with 14.2 percent for all state employees. VITA’s workforce is older than the overall state employee workforce, and VITA leadership is implementing strategies to minimize the impact of future retirements on agency performance.

The diversity of VITA’s overall workforce is similar to that of Virginia’s population and the state employee workforce, but VITA lacks adequate racial diversity among its managers. Eighty percent of VITA managers are white compared with 62 percent of non-managers. VITA’s leadership has acknowledged the need for increased diversity among managers and is taking steps intended to improve diversity

 VITA lacks enough IT security staff, but staffing levels are less of a concern in other areas

With the exception of IT security, VITA staff did not express major concerns with staffing levels or workload. Nearly two-thirds (64 percent) of staff outside the security group said the amount of work assigned to them was about right, and only 14 percent of staff outside the security group identified high workload as a source of job dissatisfaction.

However, VITA needs more IT security staff to handle growing security responsibilities. Although VITA’s security staffing levels have increased, the increase has not been enough to keep pace with increased workload related to VITA’s transition to a multisupplier service model, its focus on proactively providing customer agencies new statewide services, and increasingly complex cybersecurity threats. Only 7 percent of IT security staff agreed that their directorate had sufficient staff to effectively perform mission-critical functions, and nearly half of security staff reported they work overtime on a daily or weekly basis. Insufficient security staffing jeopardizes VITA’s ability to effectively conduct security reviews, contributes to delays in the development of new services, and increases the risk of a cybersecurity breach.

VITA has difficulty recruiting for some highly technical positions

For most positions, VITA is able to hire staff with the desired level of qualifications and experience. However, VITA has difficulty recruiting staff in some highly technical areas, such as cloud computing and enterprise architecture. VITA managers indicate this is because VITA cannot offer salaries competitive with the private sector, although VITA has not conducted a market comparison. VITA uses several strategies to hire staff in these areas, including the use of contractors, but these strategies provide limited assurance that VITA can recruit and retain needed staff in the long term. VITA should make full use of the options available under the state’s compensation policy to ensure it can recruit and retain classified staff with the necessary technical expertise.

VITA relies heavily on contractors to supplement its workforce, which are often more expensive

About a quarter of VITA’s workforce are contractors. Contractors give VITA flexibility to fill hard-to-staff positions, develop staff expertise, and meet short-term needs. However, they are often more expensive than classified staff and turn over more frequently. For many positions, VITA’s default staffing approach has been to use contractors—even when a position is long term and not difficult to fill. For example, 34 percent of VITA’s contractors had worked at VITA for more than three years as of March 2021. More than 70 percent of VITA managers who supervise contract staff said contractor positions should be filled with classified staff.

WHAT WE RECOMMEND

Executive action

  • Assess the process for developing new statewide IT services at the end of 2021 to determine the impact of recent staffing and procedural changes.
  • Elevate the project management division to a separate directorate under the chief operating officer and develop a formal policy requiring the directorate to report directly to the chief information officer regarding oversight of IT projects where there are actual or potential conflicts of interest.
  • Develop a plan to fully staff VITA’s security group to meet statutory responsibilities and provide the plan to the Joint Legislative Audit and Review Commission, the Senate Finance and Appropriations Committee, and the House Appropriations Committee by December 15, 2021.
  • Conduct a joint compensation review with the Department of Human Resource Management to develop a strategy for fully using options available under the state’s compensation policy to recruit and retain highly technical and agency leadership positions.
  • Develop guidelines that specify the circumstances under which VITA should use contractors and develop a plan for hiring classified staff to replace contractors not meeting these guidelines.

The complete list of recommendations and options is available here.