Severity is rated on four categories: impact on citizens, visibility to the public and Legislature, impact on state operations, and the consequences of doing nothing. Risk is also rated on four categories: impact of the IT investment on the organization, the effort needed to complete the project, the stability of or familiarity with the proposed technology, and the agency preparedness.
Assessing a proposed IT investment against the criteria in these categories indicates the level of overall risk, which determines the level of OCIO oversight and agency reporting. The proposed IT investment will be assessed as a level 3 (highest risk), level 2 (medium risk), or level 1 (lowest risk).
If the agency’s preliminary assessment results in (or is likely to result in) a level 2 or level
3 assessment, the agency must conduct an assessment with its OCIO Consultant prior to submitting the investment to the OCIO for approval.
If the agency’s preliminary assessment results in (or is likely to result in) a level 1 assessment, the agency will report the investment to the OCIO in the manner prescribed.
For purposes of this policy and chapter 43.41A RCW, all Level 2 and Level 3 projects are considered “Major Projects”.
If the OCIO assesses the proposed IT investment at a level that differs from the agency’s assessment, the OCIO will discuss the assessment with the agency CIO. In those rare instances where agreement on the assessment cannot be reached, the decision of the OCIO will prevail.
The criteria summarized in the matrices are general guidelines for assessing IT investments and are not intended to be exhaustive. In general, the highest level evaluation in a category determines the level for that category. For example, a project or investment that meets one or more of the bulleted criteria within the "high" category results in a high rating for that category, even though it may also meet several in the medium or low categories.