Frequently Asked Questions

Why EPMO is involved in IT activities?

On behalf of the Agency of Digital Services, the EPMO coordinates the following as required by Vermont statute:
1. Reviews & approves IT activities over $500K*;
2. Sets standards for management, organization and tracking of IT activities over $500K*;
3. Provides project management oversight on all IT activities over $500K*;
4. Reviews & approves Project Managers for IT activities over $500K; and
5. Facilitates an Independent Review for IT activities over $1M.

What is an IT activity?

As defined by Vermont statute, an IT activity is the:  “Creation, collection, processing, storage, management, transmission, or conversion of electronic data, documents, or records; and the design, construction, purchase, installation, maintenance, or operation of systems, including hardware, software, and services which perform or are contracted under Administrative Bulletin 3.5 to perform these activities”.  Translated: An IT activity is anything that uses or deploys Information Technology, whether in-house or outsourced.

What is a project?

The Project Management Institute defines a project as a “temporary endeavor undertaken to create a unique product, service or result”.  Projects have a clear beginning and end unlike an IT activity that is ongoing.  A project is the vehicle used to implement, enhance or change an IT activity. 

Does the EPMO provide Enterprise Portfolio level reporting on IT activities?

The EPMO provides annual enterprise portfolio reporting of IT activities over $500K* to the State Legislature and provides quarterly reporting to the project management community within state government (also known as the Project Information Exchange group).  See Reporting and Metrics for more information.

What is Project Oversight?

The EPMO is required by Vermont statute to provide project management oversight on all IT Activities over $500K*.  These IT activities are assigned an EPMO Oversight Project Manager (OPM).  The bulk of the oversight provided by the EPMO is focused on ensuring the success of technology projects.  The OPM (in conjunction with the Business) performs an initial project risk evaluation to determine the appropriate level of oversight needed for a project.  There are 3 levels:  Light, Classic and Robust.  The selected level determines the number of oversight activities performed and the project management deliverables required from the Project Manager.  See Project Oversight for more information.

What is the State’s IT Project Lifecycle?

1. Exploration:  Feasibility review and go/no go decision
2. Initiating:  Scope the work and authorize the project to proceed
3. Planning:  Procurement (RFP and contract) and project management planning
4. Executing:  Perform and manage project work (includes implementation)
5. Closing:  Close-out the project /contracts and perform a lessons learned 
See Project Process for more information.

When is State CIO approval required for an IT activity?

1. An approved Business Case/Cost Analysis is a prerequisite for CIO approval on any RFP, Contract or Contract Amendment for IT activities with lifecycle costs over $500K. The EPMO has a combined Business Case/Cost Analysis form called the IT ABC form.  See Starting an IT Project for more information. 
2. RFPs require State CIO approval prior to posting for all IT activities with lifecycle costs over $100K (based on Administrative Bulletin 3.5). 
3. Contracts and contract amendments require ADS review and State CIO approval for all:

a. Contracts for cloud services (SaaS, PaaS and IaaS) regardless of dollar value;
b. Information Technology and Information Security contracts which will involve the electronic processing, storing, or transmission of Confidential Information;
c. Sole Source Contracts for information technology activities and information security (must be approved prior to approval by the Secretary); and
d. Information Technology and Information Security contracts over $500,000.

See Procurement Assistance for more information on RFPs and Contracts.

How much time should I build into my project schedule for reviews and approvals?

Allow 10 business days for ADS review and approval of IT ABC forms (Business Case/Cost Analysis) and RFPs.  Note it can take longer to obtain approval for documents that require significant revisions.  See Starting an IT Project.

Contract negotiation and review (Business, Vendor, AG and ADS) takes time and often involves multiple iterations.  If you are negotiating a brand new contract, it is recommended that you plan on 4 weeks to complete the contracting process. See Contracting.

Independent Reviews take 5 to 6 weeks on average to complete (with some being completed in as little as 3 weeks and others closer to 8 weeks). See Independent Review.

Are there any additional costs that might not be on my radar?

The EPMO charges for their services, which includes the project management oversight required by Vermont statute. Rates are billed at $74/hour for the actual time incurred on the IT project/activity.  

You may need to hire a Project Manager (PM). Going rates average $125 to $175 per hour.  The success of your project is dependent on filling this important role with a qualified PM.  Note: Vermont Statute requires the EPMO to approve your PM assignment if the lifecycle costs of your project are $500K or more.

If total lifecycle costs of your IT activity are one million dollars or more your project is subject to an Independent Review (IR). Costs for the IR Contractor average $11,000 to $20,000 and can be even greater depending on the scope and complexity of the IR.   

What are the most common risks to a project's success?

The EPMO researched Independent Review Reports from 2013 to 2016 to identify the top 10 most commonly cited risks:

  1. Resources Issues: fifteen percent (15%) of the total risks were cited as resource related. Notations included staff not being identified for the project either on the State or vendor side or there was no documented staffing plan identifying staff assignments. 
  2. Timeline/Schedule: eight percent (8%) of the total citations referred to the timeline or project schedule. The vendors noted staff availability, and State of Vermont’s control of the project and timeline. 
  3. Contract Issues: seven percent (7%) of the risks involved citations noting unclear contract language, conflict resolution, final decision authority, cost resolution, and escalation process. 
  4. Funding: six percent (6%) of the total risks citations referred to funding not being secure, support being subject to approval by legislature and/or federal funding. 
  5. Vendor Management: six percent (6%) of the total risks were related to comments on vendor management ranging from evaluation to stability. 
  6. Governance, Risks and Compliance: five percent (5%) of the total risks citations fell into this category for lack of a governance process, lack of risk identification or mitigation plans and or compliance with regulations. 
  7. Security: five percent (5%) of the risks were cited for the vendor responding as being compliant with web-based payment processing, attestation to Statement on Standards for Attestation Engagements (SSAE) No. 16 Type II audit certification, secure information/retention requirements, and reference to mobile device support. 
  8. Data Conversion Plan: four percent (4%) of the risks emphasize the need for data standards to be identified, developed and/or documented prior to implementation such as will the team be running parallel systems, is it a “big bang” conversion, define the system requirements and data load requirements. 
  9. Requirements: four percent (4%) of the notes reference the need for documenting and gathering requirements to include the amount of work that could be involved with the requirement. For example, a functional requirement needing configuration and development could involve a large amount of resources. The timing of when the requirements are met was noted as a risk because it could result in development activities after go-live. 
  10. Implementation Plan: three percent (3%) of the notes identified a need for an implementation plan. There were notes of unclear level of effort to integrate legacy State systems and connections which may cause delays. 

What can I do about risks?

Create a Risk Management Plan:  Have a risk management plan for identifying, assessing, monitoring and responding to risks.

Identify Risks:  Identify and plan for risk before it happens.  This can be the difference between project success and failure.  Project Teams must identify anticipated risks early on, and repeat this process throughout the project.

Assess Risks:  Project teams need to assess how likely a risk is to occur and the impact if it does occur.  Focus on having a planned response for those risks that have the highest combined likelihood of occurrence and impact.

Monitor and Respond to Risks:  Continually monitor the project to identify new risks, eliminate any that are no longer risks, and to identify when to act on risk plans/responses.

*The dollar threshold was $100,000 from July 2012 through June 2015.

Got Questions?  Contact Us