Technology Risk Management

Enterprise-wide IT risk will be evaluated through standard policies, procedures, and a
governance model to identify appropriate mitigations for the County as an enterprise.

Rationale

The tradeoffs between business value and risk must be considered at the enterprise level.
Evaluating and communicating acceptable levels of risk will ensure optimum protection of
resources within the business and the County overall

Implications

  • Business-specific technology risks will be managed at the appropriate level (e.g.,
    by Governance bodies and working groups such as Cloud Review Committee) in
    accordance with enterprise-wide standards, policies, and procedures, and
    escalated to ITMC as appropriate
  • Criteria and thresholds will be defined so independent oversight will occur on
    technology implementation projects.
  • The solution architecture process will define the solution that meets the business
    unit’s acceptable risk standard in balance with other factors, including cost and
    functionality.

IT Investment Management & Governance

Management of IT investments (e.g. allocation of IT resources, funding of projects) will
align with the County’s strategic objectives and the General Management System.

Rationale

Focusing IT investments on the County’s most important priorities maximizes business
benefit achieved from IT resources.

Implications

  • IT investments will be well-defined by business cases to:
    • Provide an analysis of costs, benefits, value and risks
    • Demonstrate compliance with County Service Levels
  • IT investments will be guided by defined governance with equitable representation
    from executive, business and technology groups.

Enterprise IT Costs

The County will share the costs of enterprise-wide IT initiatives, resources and assets, and
will strive for transparency, fairness, and predictability in cost allocation.

Rationale

County-wide sharing of costs for commonly used IT resources and assets will increase
consistency, transparency and cost efficiencies.

Implications

  • Business group-specific IT resource costs may not be shared.
  • Budgeting, pricing, cost models, allocation practices and reporting will be
    implemented and communicated across the County.

Reuse, Buy, Build

The County will follow a rigorous solution architecture process that will implement the
following preferences for delivering new functionality:

  • To meet requirements for new business functionality, the County prefers to re-use
    existing County applications, services, tools, components and functions.
  • The County will seek to acquire the functionality in COTS or Cloud based software.
  • For functionality that cannot be acquired, the County will consider business
    process re-engineering and custom development as a third alternative.

Rationale

Clear articulation and adherence to prioritized criteria for reuse / buy / build decisions will
ensure greater flexibility, extensibility and cost/time efficiencies in technology solution
development, deployment, and maintenance.

Implication

  • Existing County technology assets (e.g. applications, services, tools, components
    and functions) will be documented and available for reuse.
  • Prioritized criteria for reuse/buy/build decisions will be documented and used
    consistently in analysis for delivering new functionality.
  • A high-level of connectivity and interoperability among all hardware, software,
    communication components, external suppliers / vendors, and customers will be
    sought.

Enterprise Architecture

The County’s Enterprise Architecture, developed and maintained with the
participation of technical and business unit groups, will be used as the authoritative
source for County technology, information, and application architecture standards.

Rationale

Enterprise architecture ensures consistency, enhances integration, and improves
quality and cost efficiency in the design and delivery of technology solutions across
the enterprise.

Implications

  • The County will build on industry standards to take advantage of mainstream
    technologies and solutions, to minimize lock-in and to make use of open
    standards and best-of-breed solutions in the County EA.
  • County business groups must play an active role defining requirements while
    adopting enterprise architecture standards for County-wide benefit.
  • Business technology solutions will adhere to the County’s Enterprise
    Architecture standards.
  • Exceptions will be made through a managed process, based on unique
    business and/or technology requirements.

County Standards Compliance

All County IT solutions and services will comply with County security, privacy, technical,
and other standards, and will meet appropriate audit, regulatory and legal requirements.

Rationale

Well-documented and consistent adoption of County standards will protect enterprise
resources.

Implication

  • County standards will be reviewed and communicated on an on-going basis to
    ensure compliance.
  • This principle should be applied when negotiating IT service contracts

Service Levels

The County’s Solution Architecture process will ensure that service levels for availability,
performance, capacity, and scalability are specified.

Rationale

Explicit service levels and agreements will enable delivery of required services.

Implication

  • Contract management will be required to review and monitor service level
    agreements and ensure appropriate contract leverage.
  • Reporting of performance against documented Service Levels will be required to
    provide transparency and identify trends or service improvement needs.

Technology Adoption

The County will adopt technology using a “fast follower” profile for systems of record
(bimodal mode 1) and will consider early adoption for systems of innovation and
differentiation (bimodal mode 2).

Rationale

A bimodal approach to technology adoption will allow the County to drive innovative,
state of the art technology solutions in balance with managing costs and risks.

Implications

  • The County will be quick to adopt proven technologies
  • The County will consider technologies closer to the bleeding edge for innovative
    business solutions and areas where technical currency is a key driving factor.

Innovation and Continuous Improvement

The IT organization is a catalyst for innovative change, and actively encourages
exploration of technology innovation for business benefit. The IT infrastructure will
enable continuous technology evolution (grow, add or change) while minimizing impacts
to infrastructure use and improving operational performance.

Rationale

Technology is an integral part of the County’s business, and the IT organization is
responsible for spearheading technological innovation and solutions in partnership with
business groups for business value.

Implications

  • IT will develop and maintain a digital workplace environment that serves to
    attract and develop an agile, adaptive, knowledgeable and skilled workforce that
    will make informed technology decisions and deliver business-driven technology
    solutions.
  • The County will selectively support and evaluate innovation pilots/prototypes to
    determine how they can be adopted as enterprise-wide services.
  • External IT service providers and vendors are expected to enable and offer
    innovation where it brings benefit to the County.
  • Service providers are also expected to drive continuous improvement throughout
    the service lifecycle by developing and maintaining an understanding of County
    service improvement and innovation needs, and by measuring outcomes against
    the expectations defined in system business cases.

Lifecycle Management

The County will manage the lifecycle of IT products and services.

Rationale

IT Lifecycle management is needed to contain the O&M cost of the IT portfolio and to
maintain technical currency and supportability.

Implications

  • Lifecycle management will leverage the original business case associated with the
    system to facilitate periodic assessments of functional, technical, and financial
    aspects of County IT services, applications and infrastructure.
  • Lifecycle management will determine appropriate future actions in alignment with
    the Enterprise Architecture.

User Experience

County technology solutions will be designed to optimize the user’s experience while
maximizing sharing and reuse of technologies and services.

Rationale

Technology solutions need to be user-centric in design, delivery and deployment to
maximize business value and adoption.

Implications

  • County Solution Architecture process and methods must take UX into account.
  • The user’s experience will be optimized based on the user’s authorizations and
    the capabilities of the user’s device and access channel.
  • User experience solutions will maximize sharing & re-use of technologies and
    services across all devices and channels for consistency.

Development Practices

All internal and external development will follow leading industry and County adopted
practices and processes, including the clear definition of requirements.

Rationale

Common methods will ensure improved quality, predictability, reliability and efficiency of
application development and delivery.

Implications

  • Joint participation by the business and technology staff throughout the
    development process will ensure business focused activities including solid
    definition of business requirements.
  • Rigorous, repeatable practices and processes, such as those consistent with the
    Software Engineering Institute’s Capability Maturity Model (SEI CMM) Level 3 will
    be used.
  • County-wide project reporting standards will be followed.

Enterprise Information Management

The County will leverage its existing Enterprise Information Management (EIM) strategy
and program that includes stakeholders from the business groups and the County
Technology Office.

Rationale

Enterprise Information is an asset that must be managed and leveraged for business
benefit across the County.

Implications

  • The EIM program will build on and implement County-wide information standards
    to be developed in the Enterprise Architecture, including a consistent enterprise
    data model.
  • County policies and processes for information access and use will be governed by
    the EIM program.
  • The EIM program will ensure that any aggregation of data will trigger a review to
    determine if different policies apply to the aggregated data, and to implement
    those policies.

Third-Party Access

Access to system or business resources shall only be granted via explicit discretionary
access control (e.g., identification, authentication and authorization) in accordance with
County security policies.

Rationale

Access based on County security and role-specific policies will ensure appropriate access is
provided with maximum protection of resources with minimal administration and
disruption.

Implication

  • County will provision appropriate access for third-parties as needed to support
    the business.
  • Third party access must adhere to this principle and standard County processes
    that include business and CTO Security participation.

Business Continuity and Disaster Recovery

Business continuity is a responsibility of the business groups. IT disaster recovery,
including data recovery, is a shared responsibility among business groups, the County
Technology Office, and IT outsourced vendor(s).

Rationale

The County’s business groups, technology office and outsourced vendor(s) will collaborate
and plan to ensure minimal disruption to business operations.

Implications

  • The allocation of resources to business continuity shall be determined by the
    impact of service disruption, the cost of service availability protection and the cost
    of service restoration.
  • Business Continuity Plans maintained by the business groups will serve as inputs
    to the IT disaster recovery approach and plan.
  • Any data that is needed for mission critical operations must be backed up using a
    backup/restore solution consistent with the Enterprise Architecture.
Page last updated 03/12/2026