MONDAY 15 JUNE 1998

MR ROBIN MOUNTFIELD, CB, MR MARK GLADWYN, SIR ALAN LANGLANDS and MR FRANK BURNS

  60.  The Ministry of Defence are particularly highlighted in the Report. Have you received assurances or has anybody received assurances that there is no threat to our defence capability as a result of the failure to comply?
  (Mr Mountfield)  Not on those terms. The Ministry have included, as I say, a single return, but we have informal discussions with the people monitoring the overall programme which is of course huge with many, many thousands of individual systems right through the civilian department and the operational end of the Armed Services and I think we are confident that it is being taken at least as seriously there as anywhere else, but complete assurance on every single system I think is probably a step too far.

  61.  Would you think it reasonable to expect the Ministry of Defence to be able to give us the reassurance that there is no threat to our defence capability as a result of this issue?
  (Mr Mountfield)  I am quite clear that it is a very high priority for them to make sure that all their operational priorities are deliverable, in other words, that all their systems are operational when needed.

  62.  Yes, "will be", but is it fair for us to expect the Ministry of Defence to issue some clear statement perhaps in private in some way because of issues of security and to expect that by a date well before December 1999 our defence systems are not in any way threatened by this problem?
  (Mr Mountfield)  I think it would be wrong for me to try to answer in detail on another Department's business. What I have asked the Ministry of Defence to do is to consider whether it is possible for them to disaggregate their return, at least to some extent, subject to requirements of security, so that we can have greater confidence about which parts are going to be on time and which are not. There are questions of concern over priority about it.

  63.  It would of course, as you are extremely well aware, be of extremely high public interest to know that that was the case.
  (Mr Mountfield)  Yes, of course.

  64.  I would certainly urge that whatever mechanisms to maintain the security should be taken into account so that we do have that reassurance in the same way as I would like the NHS to say that people are not going to die from a failure of the medical care in this country, and if there is any threat from any external forces that we can deliver our operational duties overseas.
  (Mr Mountfield)  Of course.

  65.  In a way the Report does not refer to the Department of Social Security who, from the Report, appear to have got it right. What, in your view, was the key factor in the fact that the Department of Social Security have got it right?
  (Mr Mountfield)  First of all, I am glad that the Report is reassuring about the DSS and that does not surprise us because I think it confirms our own views, although they are not unique in that respect and there are others who have not been surveyed in quite this way which are equally up to speed. I think the key, as I see it as a non-IT specialist, is that they have followed very rigorous programme management. In other words, they have set out their objectives at the start of the various stages that have to be gone through and have made sure that they keep up to a programme to deal with that stage by stage.

  66.  Sir Alan, why did not you follow the DSS example?
  (Sir Alan Langlands)  Well, we have followed the same pattern. We are a very different sort of organisation, very heterogeneous compared to the DSS, but we do have very clear project management arrangements in place. We have been monitoring the Health Service on that basis. Our own project framework follows the usual so-called prince criteria and indeed the NAO Report, I think, does not challenge our project framework.

  67.  Yet in September 1996 you issued a letter from the Health Executive to authorities and trusts, but did not put any deadlines on it. There seemed to be a lack of specificity in there which might have meant that people got the letter and thought, "Yes, that is a problem we will deal with", but without any degree of urgency as a result of the failure to put specific deadlines for action.
  (Sir Alan Langlands)  Well, we did not follow through necessarily through monitoring, but we did follow through in a whole number of ways with some training events where the 400 key people from the Health Service were brought together in groups, and we followed through with some information packs that got a good response from the Health Service. We did actually monitor by the early part of 1997 on the basis of what health authorities and trusts had done as a result of that letter and the response was not as good as we wanted, which was one of the reasons we set up the monitoring process, but we do have some very good examples in the Health Service of people who worked to the guidance given in that letter and started the process off by the end of 1996 and that is showing dividends now.

  68.  So the dilemma that you faced was a poorer command structure—I cannot think of the words to use—and the DSS have got a more simplified, unified management system than that covering the NHS and that is the core reason for the lack of similar progress?
  (Sir Alan Langlands)  They certainly have a clearer command structure and, if you like, a more centralised approach to handling IT issues. I think it is fair to say that as the complexities and the difficulties that are arising around the year 2000 became clear, we moved much more into that mode than we naturally would.

  69.  I will come back, if I may, to Mr Mountfield. I am intrigued by the non-departmental public bodies. Has any assessment been undertaken of the risks that they have, like the risks they have in the Health Service, from their failure to comply, whether it be security risks, health risks, safety risks? Has any assessment been done across the board of that?
  (Mr Mountfield)  I think the short answer is no, there has not yet been a comprehensive assessment in quite that form. I would expect local managers to have done very much that sort of thing as part of the ordinary processes of good management, but, as you know, this June return was the first time we have attempted to put comprehensive information together for the whole wider public sector and it is clear that we are not yet there and we have more work to do to fine-tune that analysis and make sure we have a comprehensive picture.

  70.  We are just guessing at what might go wrong really and I am wondering whether we should have a clearer idea from those non-departmental public bodies of their assessment of their own risks that they carry and how they are tackling them.
  (Mr Mountfield)  Well, as you will see from the material that was put on the Internet, there is some detail. It varies in quality and I think that has clearly got to be improved, but they are already under encouragement to publish as much information as possible either on the Internet or by holding public meetings, their ordinary management meetings in public, and that process ought to begin to raise questions about at least the more sensitive of the bodies concerned, but it covers a wide range and some of them, for example, advisory committees and so on, where frankly the IT risks are not all that great.

  71.  That is my dilemma. My dilemma is that I have no way of judging that. I have no way of knowing, but there could be a whole range of things which do not matter and there could be a number of things which really do matter and about which we appear not to have the information. Indeed in March of this year we established a new team of co-ordinators which you are running. Why did we not do that back in September 1996 when the DSS established their Project Management Board and the Health Executive sent out their letter of guidance? Why have we waited over a year and a half to do this for all these other areas where there could be as critical issues to health, safety and security?
  (Mr Mountfield)  Well, I do not think it is quite as inactive as that sounds. The process began about the middle of 1996 when the then Deputy Prime Minister asked colleagues to make sure that all the public bodies for which they were responsible set programmes in hand to correct the problem and that must include contingency planning of course, so I think there is quite a lot of evidence, bit by bit, that that has been done. What we have not had hitherto is a comprehensive picture across the whole wider public sector and we have got more to do to secure that.

  72.  I would agree that we have not got a comprehensive picture and we need it, but I also feel that there seems to be a different flavour of enthusiasm between a government minister encouraging colleagues to ask these questions and a department setting up a project board to actively intervene and manage, and I was wondering why we have waited this long before we have actively intervened and managed.
  (Mr Mountfield)  I think that reflects the different constitutional position that ministers can have the power to direct their departments to do things, but they do not have the power to direct elected bodies, like local authorities, or statutory bodies who have been appointed by due process. What they can do clearly is try and encourage departments to gather information, to press authorities to take it into account, and to encourage bodies to publicise as much information as possible.

  73.  I just think there is a difference, not constitutionally, but in a sense of urgency and that whilst this probably emerged in 1995, most people got it in 1996 and it appears that for the rest of the public sector, they had not got on to it until 1998 which is literally two years before the problem actually happens. Indeed it could be before then for some systems. This is not a constitutional problem, more a problem of really grasping it and taking it seriously.
  (Mr Mountfield)  It depends what you mean by grasping it. If you mean the collection of quarterly returns then, yes, I acknowledge that has only just started. Of course, the purpose of collecting returns is not to initiate action that has not taken place but rather to check that it is already in hand. I think there is plenty of evidence that bodies right through the public sector have done a great deal already. Many of them may be ahead of Central Government for all we know.

  74.  For all we know.
  (Mr Mountfield)  For all we know.

  75.  I would like to pick up a point Mr Leslie made about recovering costs. Did I hear you right to say that you are taking specific action to look at potential recovery costs from suppliers of software and hardware?
  (Mr Mountfield)  No, not quite in those terms. The question of recovery will depend on the individual contract or the individual procurement.

  76.  Are you taking action on these specific contracts of individual procurement to see the possibility?
  (Mr Mountfield)  No, that is for individual departments to do. The priority must be to make sure that as much equipment and systems are compliant as possible. The question of picking up the pieces afterwards if they go wrong is a second order question. It is a very important one and departments will be doing that to the extent that it is possible to change the position that is already contractually committed.

  77.  When you say it is up to departments to do, does that mean that you are not giving central guidance to departments, you are not going to be encouraging them objectively and getting them to pursue the £400 million we appear to be spending? Does that mean you are not doing that?
  (Mr Mountfield)  There is a certain amount one can do centrally. I think the point about liability questions is that one can only judge it in the circumstances of the individual contract or procurement. One can give general guidance on liability questions but all the advice we have so far, and the NHS have got some particular advice in preparation for their circumstances is that, it has to be applied to the individual case.

  78.  I would quite like to see the guidance you have issued.
  (Mr Mountfield)  We have not issued guidance in that form. We have made some inquiries of the lawyers. The advice, as I have said, is you can set up general lines but you cannot say very much more than that without putting the individual case.

  79.  You have not issued guidance?
  (Mr Mountfield)  No.