Bigger is Not Better for OPM

OPMThe Office of Personnel Management is getting the kind of attention that most Federal agencies never want. The data breach has people questioning the competence of OPM’s staff and leaders, and asking why OPM exists in the first place. So many people have been affected, and in such a personal and lasting way, that business-as-usual is simply not a viable option. So what does something other than business-as-usual look like?

OPM says its mission is “…to recruit, retain and honor a world-class workforce for the American people.” Although OPM is small when judged by the standards of Defense, Homeland Security, VA and other Departments, but with 5,500 employees and a budget of $2 billion, it is considered to be a “large” Federal agency. A deep dive into those numbers offers some surprising insights. When combined with a look at OPM’s history and how it operates, I believe it shows a clear path forward for OPM that can return the agency to credibility and effectiveness in its core mission.

The Numbers

That $2 billion in OPM’s 2015 budget contains a surprisingly small amount of appropriated money. More than $1.6 billion is from the OPM revolving fund and $118 million comes from Trust Fund accounts. The revolving fund includes revenue and expenses related to background investigations, USAStaffing, USAJobs, consulting services, and other services for which OPM charges a fee to agencies. The majority of revenue and expenses in the revolving fund are associated with background investigations. Trust dollars come from the Civil Service Retirement and Disability, Federal Employees Health Benefits, and Federal Employees Group Life Insurance Funds.

Most surprising is the number of dollars and employees associated with background investigations. More than half of OPM’s money ($1.13 billion) and employees (2,726) are involved in background investigations.

OPM 2016 Budget Justification

The Civil Service Reform Act of 1978 provided that “the function of filling positions and other personnel functions in the competitive service and in the executive branch should be delegated in appropriate cases to the agencies to expedite processing appointments and other personnel actions, with the control and oversight of this delegation being maintained by the Office of Personnel Management to protect against prohibited personnel practices and the use of unsound management practices by the agencies.” The core mission of OPM is crafting regulations and policies to implement the merit system and to oversee agencies’ hiring practices. In addition, OPM administers Federal pay, retirement and health and life insurance systems. Those roles are so critical that I believe it is essential to have an independent agency to carry them out. That does not apply to many of OPM’s other roles. In fact, OPM is offering so many services now that they make up the majority of the agency’s budget and staff and it is difficult to see how it can excel in all of them and still devote sufficient executive time and attention to its core mission. Part of the problem is that OPM has gotten trapped in a fee-based arrangement where they have to sell services be able to support the core mission. Congress could help by adequately funding a smaller and more focused OPM through appropriations, rather than asking them to rely so heavily on fees.

Just Say No

When he returned to an Apple, Inc that was on the verge of bankruptcy, Steve Jobs famously said “We had to decide what are the fundamental directions we are going in and what make sense and what doesn’t. Focusing is about saying no.” He went on to explain that saying no makes a lot of people unhappy, but the results of focusing are worth the pain.

It is time for OPM to start focusing by saying no to the roles that are not part of their core mission. Here are a few good places to start:

Say No to background investigations. The idea of having OPM conduct background investigations seemed sound. They are related to hiring and consolidating the work would probably be more efficient. Sounds great, but now more than half of OPM  is handling background investigations. And we see that having background investigation data for 90% of the government in one place creates a huge target for hackers. The outcome is likely to cost far more than we ever saved by consolidation. OPM’s should get out of background investigations entirely and the work should either be decentralized into the large Departments and Agencies or, because of the intelligence value of the collected data, assigned to an agency more focused on intelligence or law enforcement.

Say No to selling software, unless it is necessary to further the core mission. Shared services are a sound idea but not when commercial off-the-shelf products are available. OPM is currently the largest provider of talent acquisition software for the Federal government. USAStaffing is used by agencies representing more than 70% of the Federal work force. The fact that there are good, fully federalized, commercial products available from companies like Monster, Acendre and Economic Systems has not stopped OPM from investing time and money in developing software and competing for market share. There is no compelling reason for the government to remain in this market. The exception is OPM’s USAJobs system. Although there are excellent job board systems available commercially, the need for all of the talent acquisition systems to work seamlessly with the government’s job board makes a government-owned system make sense. Otherwise we could find ourselves in a position where the company that provides the job board could make their software work better with it, thereby forcing the other companies out of the Federal market. USAJobs is a great example of the need for appropriated money. OPM currently has to charge every agency a fee for the system. It would be far more efficient to simply put the money there to begin with rather than going through the gyrations of putting it in other Departments and agencies and then making them write a check.

Say No to selling services when it creates an organizational conflict of interest. In addition to background investigations, OPM sells consulting services in a variety of areas. It does some of that through the private sector and some using OPM staff. Most of the work that is done using the private sector (through firms like my employer and others) is through OPM’s Talent and Management Assistance contracts. Federal agencies have used them successfully for years and they have been one of the goto sources for Federal agencies. The replacements for the TMA contracts are moving to GSA as part of a new partnership between OPM and GSA. That is an excellent move by both agencies – it puts a contracting agency in charge of the contracts. Where there is an organizational conflict is in areas where OPM is responsible for regulations, policy, and oversight, but sells related services using its own employees to do the work. Although OPM attempts to separate their policy and oversight work from their fee-for-service activities, it is hard not to be influenced by the need for continued revenue. For example, when I was DHS Chief Human Capital Officer, during one CHCO Council meeting a former OPM executive expressed concerns that what the CHCOs wanted for a new policy would affect OPM’s business for one of its fee-based services. Former Director John Berry made it clear that he would not make policy based on potential loss of fees, but the fact that the issue was raised shows that the concern is legitimate. Work that presents a potential conflict should be moved, along with the associated staff, to another agency that provides shared services. OPM should provide fee-based services only where it makes sense to do so, such as administering the White House Fellows program. I have to admit I’m on the fence on services related to advertising jobs for agencies. While I could make the argument that OPM writes regulations and conducts oversight for staffing functions, employment services have been part of the mission since the beginning of the Civil Service Commission. The difference is that now agencies have to bring their checkbook to get the services.

Say Yes to a Revitalized OPM

If OPM sheds the roles that are not necessary to carry out its core mission, it can begin to offer some real benefits that would help it “recruit, retain and honor a world-class workforce for the American people.” Among the things OPM is ideally suited for and should say Yes to are:

Say Yes to analytics. Everyone learned that OPM has massive amounts of data on the Federal workforce. They also have data on hiring, separations, retirement, and virtually every aspect of the Federal workforce. While OPM uses some of that data to inform its policy development, workforce analytics should be a key offering. For example, by linking data from the hiring process with performance results, OPM data could help agencies identify the hiring methods that produce the highest performing employees. The opportunities to turn that data into usable information are tremendous. OPM could provide detailed data sets to agencies that they could use to conduct meaningful analytics.

Say Yes to classification reform. OPM could dramatically simplify job classification by reducing the number of job series and simplifying classification standards. Doing so would also make OPM’s job of keeping the remaining standards up to date far easier. There is no need for legislation to do that. OPM has the authority to start doing it today.

Say Yes to more hiring reform. The initial movement toward hiring reform begun by President Obama was a great first step, but much of it was focused on telling agencies they had to do better in running the hiring process. However, much of what makes the Federal hiring process so cumbersome is driven by regulations rather than law. OPM should identify everything that it can do to make its own regulations more effective.

Say Yes to a new approach to performance management. Very little of what drives people crazy about Federal performance management is driven by the law. OPM has tremendous authority to craft and implement new regulations that would simplify and dramatically improve performance management.

Say Yes to customer service. OPM should also consider a reorganization of the remaining work to focus on key mission areas and to develop a more strategic approach to integrated policy development and oversight. Its current structure does not appear to produce well-coordinated policy guidance that takes the entire employee life cycle into account. Doing so would help revitalize their advisory services work so agency HR staff have easy access to the people who write regulations and policies. In the past, OPM was a superb source of insight. There are still a lot of talented and knowledgeable HR experts at OPM, but their current structure makes it more difficult for agencies to find the right person to ask for help.

Some of the people I have talked with regarding OPM say the agency should never agree to shrink from 5,500 employees to 2,500. They say that makes OPM a more likely target to be consolidated into another agency, such as GSA or even into the Office of Management and Budget. That may be true, but if we believe people are such an important resource, and talent management is such a critical issue, having an effective, independent agency to manage people programs is too critical to make it a tacked-on feature of some other agency. A newly focused and high-performing OPM could help the Federal government move beyond its current outdated approach to talent management without having to ask Congress to change the laws regarding hiring, classification and pay. I believe OPM still has the potential to be the talent management agency the government needs. The benefits to the people and to the government are too great to avoid acting solely because of internal government politics.

What’s Next for OPM?

3d human with a red question markThe OPM data breach has put the government’s personnel agency in a deep hole. Critics are accusing OPM of an inadequate response and poor communications and questioning how the agency can continue to operate effectively. That is not a surprise. Something as big and as shocking as this can be a credibility killer for any organization. Even so, I have been surprised by the number of people who have told me OPM should be shut down and its mission transferred to other agencies. Others have told me the agency just has to “hunker down” and take its lumps before returning to business as usual. Neither approach is productive.

When an organization finds itself in a security, morale and public relations nightmare, it has to act or be damaged beyond recovery. Like Sony, Target, Anthem and others, OPM can recover from this mess, but it will have to take a number of deliberate steps to begin moving forward and eventually emerge as a better and more effective agency. In this post I am going to address some steps OPM should take to get started. I believe OPM has a vital mission and it certainly should not be shut down, but there are structural changes that OPM should make to refocus and ensure it does not find itself here again. I will address those in my next post.

The Rest of the Story

Every story has a beginning, middle and end. We already know the beginning of this story. Two cyber security breaches exposed vital records of more than 20 million people. We are in the middle of the story now, and it is very personal. Rather than being an abstract tale about someone else’s misfortune, this one directly affected virtually every Federal employee (including members of Congress), cleared employees of government contractors, and 1.8 million family members and associates. We/they are angry. We still do not know everything we want to know. We saw an agency that was slow to respond, did not want to say ‘we are profoundly sorry for this failure,” did not maintain clear and open communications, and did not appear to know what to do next. Given the scope and long-term impact of the breach, that reaction was infuriating, but not surprising. Few organizations take the necessary steps to prepare for a crisis of this scale.

OPM has the opportunity to help define the arc of this story and influence how it ends. If OPM is going to emerge from the breach successfully, it needs to address the anger and fear and demonstrate that it knows what to do. Here are some suggestions on how to begin:

Get the Credit Monitoring/Identity Protection Issue Off the Table. Because this is such a personal issue and the fear of identity theft is so strong, the government needs to offer long-term credit monitoring and identity theft protection to everyone who was affected by both breaches. This one will require help. I know a lot of people say OPM should pay for what happened, but that is not the way Federal budgets work. It is unlikely OPM’s appropriated dollars can be used without violating the Anti-Deficiency Act and their revolving fund does not have the money to pay for it. That means, as distasteful as it seems, it will require either a new appropriation or money from other agencies. OPM has already advised agencies that it is raising fees for background investigation services to cover the coverage they have already offered. Any long-term protection contract should be awarded competitively after rigorous competition and price negotiations.

Communicate. It is no secret that everyone wants more information. They want to know what happened, they want to know what will be done to make certain it will not happen again, and they want to know what will be done to protect them and their families from the consequences of this breach. Perhaps early communications were poor because of security concerns, but we are at a point where OPM must share more information, answer questions, and start reassuring people. They need crisp messaging that does just that. They need to be out in public talking about it. Acting Director Beth Cobert addressed the breach at the July 15, 2015 meeting of the National Council on Federal Labor Management Relations. OPM also participated in a July 16, 2015 event hosted by Maryland representative John Delaney. Those were a good start, but they reached only a few hundred people. Because people get their information from many different sources, OPM should use multiple forms of communications, including social media (the OPM Facebook page has been virtually silent on the breach), press releases, interviews with the media, and more information on OPM’s website. As my new colleague, Jeff Hunt, an international expert in crisis communications with ICF’s PulsePoint Group noted: “Everyone looks for the villain, the victim, the hero and the moral to the story during situations like this. There is a natural vacuum created as these roles get cast. It may be unreasonable to expect OPM to ever achieve ‘hero’ status, but they should be making sure everyone knows who the real villain is. That would be the hackers and not OPM.”

Engage the OPM workforce. The OPM workforce should become a part of the communications strategy. OPM should give their workforce information that they can share with colleagues in other agencies, their families and friends. Those folks are talking with OPM employees anyway. If the OPM workers have nothing to say but “I don’t know anything and am not allowed to talk about it” their opinions of their employer will suffer, they will feel isolated, and the best may look elsewhere for jobs. While the breach certainly was not the responsibility of just one person, likewise it was not the fault of every OPM employee. Many of them have been doing their jobs and doing them well. If OPM employees are empowered with some useful information that the ability to share it, they will be more engaged and will help share information that is accurate and beneficial.

Share the Learning. The learning is important to the healing. As OPM progresses through the fallout of the breach, it will no doubt learn many lessons. An important part of recovery is sharing that learning so the people who were harmed by the breach know that the learning is taking place. We can be remarkably forgiving people when we believe people and organizations who have had failures have accepted responsibility, learned from their mistakes, and taken steps to avoid another failure. OPM should begin communicating what is has learned and how it will incorporate that learning into how it conducts business.
Identify Metrics that Show Progress. OPM will have to make changes as a result of the breach. That may include how it manages technology programs, the types of oversight managers will receive, how it responds to reports from its Inspector General, how it addresses updates to software and operating systems, and many others. Most agencies do not have public metrics about such “weedy” internal operations, but most agencies have not lost the personal data of 20+ million people. OPM will have to go above and beyond the norm to regain its credibility. Publicly reported metrics, based on what the agency has learned from the aftermath of the breach, will provide the transparency that is needed to “trust, but verify” that the agency is taking the learning and applying it in a meaningful way.
Recovery from the breach is going to take a long time, but beginning to regain the trust of Federal employees, the Congress and the public can begin immediately. We need to see visible signs of change and we need them now.