House of Commons - Work and Pensions

Select Committee on Work and Pensions Third Report

4 Possible ways of improving success

Bridging the gap between best practice and the rest

97. As noted above, there is a large amount of guidance on best practice and reports from various organisations, including National Audit Office / Public Accounts Committee (NAO/PAC). And yet, we continue to find major IT projects failing at an alarming rate and often for the same or similar reasons.[196] The number of poorly managed IT development projects has been a major concern of Parliament for a number of years, as evidenced by the reports issued by the NAO into defective IT programmes.[197] For example, the cancellation of the Benefits Payment Card in May 1999, is estimated to have cost "over £1 billion in lost fraud savings, nugatory expenditure and write-down of assets and costs" and is thought to rank "as one of the biggest IT failures in the public sector". [198] Edward Hasted estimated that with an annual spend of £29 billion on IT development the UK will be wasting in the order of £10 billion per year on failed projects, with more than £5 billion on additional funding to finish those that have become "challenged" projects.[199] The NAO report on Tackling Benefit Fraud, stated that the DWP's current IT systems were a constraint on managing fraud and errors.[200] A summary of the points raised in recent NAO/PAC reports about DWP IT related problems are listed below:[201]

System development

Delay in releasing new systems (for example NIRS2) due to a large number of outstanding technical and functional issues

Customer Service

Customers needing to provide personal details more than once for different benefits
Length of time taken to respond to calls in call centres and lack of assurance about the quality of advice given
Inability of staff to access letters on benefit decisions to discuss outcomes with staff
Poor quality of computer generated customer letters and inability to amend easily
Poor quality of address records held by DWP
Difficulties with monitoring complaints

Information management

Benefit customer data held on over 20 separate systems
IT systems and standards not compatible with other departments and private firms
Lack of secure e-mail facility

Fraud and error management

Problems with staff accessing guidance electronically
Inability of benefit decision-makers to access information in one place
Inability to detect inconsistent and erroneous information on benefit applications where: customers have provided different details about themselves for each benefit claimed; or,
have failed to disclose receipt of other benefits

98. We acknowledge, as the Secretary of State told us, that best practice evolves over time and that there is no fixed canon,[202] but equally we recognise that there is sufficient understanding of the key success factors to be able to identify the characteristics of good practice that should be evident in the planning and management of all IT projects. In short, there is a vast amount of guidance available on good practice, but scant evidence that such guidance is being followed comprehensively across the public sector. A number of major IT programmes that are defective, such as CS2, which we examine in detail in section five, were agreed some years ago, but there is also anecdotal evidence that best practice is still not being complied with. For example Sarah Arnott referred to a deal that was signed even though only one supplier was left in the bidding, contrary to principles of best practice.[203] She added that it was difficult to find out from official sources whether the rumours were true because of claims about commercial confidentially.[204] Tony Collins told us that the problem with IT failures was not a shortage of best practice, but the lack of adherence to best practice.[205] Sir Peter Gershon alluded to this lack of adherence with regard to project planning in a speech in 2003.[206] He said:

... there are still far too many projects and programmes reviewed by Gateway teams where, frankly, project planning is little better than something on the back of a cigarette packet ...

Sir Peter went on to say:

... and there is still the odd occasion where a project knows where it is today, it has a 'go live' date, but it suddenly does not have any credible plan as to how it gets from here to the 'go live' date and … there is no excuse there because there are … very well proven techniques out there that we simply just need to get on and import …without debate.

99. Although these comments underline the good work of OGC in identifying such breaches, it also reveals the worrying failure of departments to comply with best practice from the outset. This lack of adherence to the basic tenets of good practice contrasts with the repeated reassurances that departments often give to Parliament that they have learned from past mistakes. Sir Peter Gershon provided the following list of the most common causes of project failures.

List of common causes of project failure as identified by National Audit Office/Office of Government Commerce[207]

1. Lack of clear link between the project and the organisation's key strategic priorities, including agreed measures of success.

2. Lack of clear senior management and Ministerial ownership and leadership.

3. Lack of effective engagement with stakeholders.

4. Lack of skills and proven approach to project management and risk management.

5. Lack of understanding of and contact with the supply industry at senior levels in the organisation.

6. Evaluation of proposals driven by initial price rather than long-term value for money (especially securing delivery of business benefits).

7. Too little attention to breaking development and implementation into manageable steps.

8. Inadequate resources and skills to deliver the total delivery portfolio.

100. As Sir Peter pointed out, the usefulness of such a list depends on organisations having adequate mechanisms in place to detect these weaknesses at an early stage of a project that allows corrective action to be taken.[208] Nick Kalisperas (Intellect) told us that Intellect had worked with OGC to develop codes of best practice for suppliers and for all parties involved in government procurement. The supplier code would:

assist suppliers to understand better the challenges of working in public sector markets and establish a clear set of standards that public sector clients can now expect from their suppliers. It will emphasise the need for suppliers to adopt high standards of professionalism and corporate capability.[209]

101. Tony Collins told us that, "The Gateway Reviews are one of the best developments that we have seen in government for many years. "[210] DWP argued that Gateway Reviews provided a useful sounding board for issues, and could give leverage to get key decisions made.[211] Sarah Arnott was less certain about the value of the OGC's measures:

Some of the mechanisms that have been put in place by the OGC such as the Gateway Review process and the senior responsible owner and senior industry executive positions potentially go a long way to addressing some of the concerns. It is difficult to tell how far they will go because only programmes which are in procurement now or just finishing procurement now have been through those mechanisms from the very beginning. Only with the success or failure of these will we be able to see how effective the OGC measures have been. It is difficult to tell at this stage.[212]

102. In late 2003, the Cabinet agreed six mandatory actions intended to improve the success rate of government IT projects. Sir Peter Gershon informed us that, apart from these actions, none of OGC's guidance is mandatory.[213] We recognise Sir Peter's argument about the delicate balance to be drawn between central guidance and decentralisation, and about the difficulties of encouraging departments to follow the spirit rather than the letter of guidance. Nevertheless, we note that the Royal Academy of Engineering suggested recently that, "There is an exceptionally large discrepancy between best practice and common practice in IT and software engineering. "[214] This remains true in the public sector as well as the private sector.

103. Computer Weekly pointed out that, "Gateway Reviews are invaluable but departments do not have to act on them. "[215] We also heard evidence that OGC should be given more power to enforce its recommendations. In oral evidence, Sarah Arnott told us:

As far as the Gateway Review process goes, that should possibly be made mandatory and OGC should be given more power to enforce their recommendations. [216]

104. Indeed, the Secretary of State also felt there was a case for stronger powers, suggesting that, "departments and projects either ought to conform to the OGC advice, or be able to satisfy the OGC that they have some alternative which is securing the same ends in as effective a way. "[217] We further recommend that the powers available to the OGC are strengthened: (i) to impose the recommendations made by Gateway Reviews; (ii) to ensure that departments follow the guidance; and (iii) to allow the OGC to police compliance with mandatory actions.

105. Below we consider further suggestions for improving the success rate of IT projects.

Legislating for compliance with best practice

106. Tony Collins presented a strong case for following the US example and putting compliance with best practice onto a statutory basis. He said that in the US, this requirement was given legal effect by the 1996 Clinger-Cohen Act. This stipulates, amongst other things, that the Director of the Office of Management and Budget provides information, advice and assistance regarding the use of best practices and that US government information technology procurement be operated in the same way as an efficient and profitable business would be operated.[218] Tony Collins told us that the Clinger-Cohen Act requires public bodies to look at revising business processes before IT projects are implemented.[219] He contrasted that practice with the case of a major NHS programme where discussion about changing business processes followed the awarding of the contracts.[220]

107. A number of other witnesses argued against providing a statutory basis for best practice. Derek Ward (SchlumbergerSema) told us that:

I think it takes us into a real minefield. I think the striving for best practice and being able to demonstrate that consistent improvement is probably more important than trying to mandate some base level of it.[221]

Tom Warsop (EDS) told us that to lay down a specific best practice and expect that to be adhered to for ever it would not be the right thing to do, "because it will change, it will improve, over time, and I would not want to restrict all of our abilities to use the current best practice. "[222] Kevin Saunders (SchlumbergerSema) had no fundamental objection to the principle of making good practice more mandatory, but emphasised the importance of departments and Senior Responsible Officers (SROs) having the authority to make decisions.[223] He also cautioned against imposing an overly onerous or legalistic regime.[224] John Corneille (IBM) also emphasised the need for best practice to be applied in a sensible way by experienced people. He said that there were previous examples in Government when methodologies were mandated that had been applied too literally rather than applied with experience.[225] Sarah Arnott questioned whether it was possible to enforce cultural change via legislation alone and pointed out a number of reasons why the introduction of legislation to enforce compliance with best practice would be impractical, such as who would define best practice, how would it be able to evolve over time while retaining some semblance of usefulness in the short term and who would be prosecuted in cases of breaches. She argued that given that Ministers were unlikely to be prosecuted for such breaches, the weight of prosecutions was likely to fall on either unelected civil servants or the IT suppliers with the inevitable consequence of leading suppliers not to bid for such contracts or to bid only at impossibly high prices.[226] She said that:

to simply write current concepts of best practice into legislation gives no greater guarantee of success than the existing mechanisms developed by the OGC without imposing an impractical sanction.[227]

108. Sir Peter Gershon questioned whether the Clinger-Cohen Act had had any marked effect on the success rate of projects.[228] Another witness echoed this doubt :

While Clinger-Cohen has led to some improvements strengthening accountability and promoting awareness of how IT projects should be run, the system has flaws. This week, federal officials gave evidence to Congress revealing that, eight years since the act was first introduced, many agencies do not meet its requirements. They do not meet basic guidelines and some don't even have a fully qualified project manager at the helm. The Office of Management and Budget, which is the White House body in charge of federal IT, is taking a close look at $22bn worth of IT projects that are showing weaknesses in complying with Clinger-Cohen.

Few in the UK would dispute that there is a need for further change in the way the government carries out its IT projects, but a knee jerk call for legislation is not needed. Lessons can be learned from the US, but a sober assessment of the effect legislation has had on its IT would go a long way.[229]

109. Sarah Arnott also warned against under-estimating the marked differences between the legal systems in the UK and the US.[230] On balance, given the dynamic processes involved, we are not convinced that a statutory basis is currently required in order to increase compliance. However, we recommend that the Government invites the OGC to undertake and complete a review by 1 July 2005 into the likely effect of implementing the Clinger-Cohen statutory framework in the UK.

Publishing OGC Gateway Reviews

110. The Office of Government Commerce (OGC) was established in 2000, as an Office of the Treasury. It works with government to improve procurement and project/programme management, and with suppliers, to make the government marketplace more efficient and attractive to business. In its first three years, OGC claims to have delivered value for money gains of £1.6billion.[231] OGC has a number of key roles in relation to Government projects: running the OGC Gateway Review process for procurement projects in civil central government; helping departments to establish programme and project centres of excellence; and publishing guidance on best practice.

111. In a Gateway Review, an independent review team of experienced project leaders examines the project at up to six key decision points, from initial outline of the project to going live, in order to provide assurance that it can move to the next stage. There is no minimum financial threshold for reviews. The need for a review depends on the risk associated with the project. Review teams have access to all the stakeholders in a project and, for high risk projects, Ministers and Permanent Secretaries are always interviewed. All DWP's recent major IT projects should have been through Gateway Reviews. The review reports are not in the public domain on the grounds that this secrecy ensures an open and honest exchange between the review and project teams. Recommendations are not compulsory. Responsibility for action lies with the project team, but failure to address problem areas is thought to make it more difficult for projects to pass the following review. At each review, projects are given red, amber or green status:

Red - to achieve success the project should take remedial action immediately.
Amber - the project should go forward with actions on recommendations to be carried out before the next OGC Gateway Review.
Green - the project is on target to succeed but may benefit from the uptake of the recommendations.

112. OGC also helps departments to establish programme and project centres of excellence with the overall aim of producing a two to three fold increase in the success of central government projects within three years. The centres have three key roles: reporting to the management board on key programmes and projects; sharing information and lessons learned with Whitehall and other departments; and providing support to help programmes and projects with the right expertise when they need it. As regards publishing guidance on best practice in procurement, OGC has published over 2,000 pages of advice and guidance much of which is consolidated into a 'Successful Delivery Toolkit' available on the internet.[232]

113. One suggestion for increasing accountability and, through that, the success rate of IT programmes would be for these Gateway Reviews to be published. Under present arrangements, the reviews are highly confidential, despite the sums of public spending involved and the effect that inadequate IT is clearly having on constituents and public policy generally. In fact, the OGC reports are considered so sensitive that only two copies of each review are printed: the Review Team Leader (RTL) delivers one copy of the report to the designated Senior Responsible Officer (SRO) working within the relevant department, who is likely to be at Director level, and the second copy is sent to OGC in order for it to identify and disseminate generic lessons learned.[233] As the only recipient of all OGC Gateway Reviews carried out across central government, OGC is in a unique position to monitor the performance of major IT systems. The Government's argument for not publishing Gateway Reviews is that the review process would be weakened. The OGC makes the point on its website:

An OGC Gateway Review is conducted on a confidential basis for the SRO and ownership of the report rests with the SRO. This approach promotes an open and honest exchange between the programme/project and review teams delivering maximum added value.

114. Essentially, it is alleged that publication of the Gateway Reviews would result in staff becoming less frank with reviewers on the grounds that their comments would be published and their identity known. We recognise that one danger of publishing OGC Gateway Reviews is that two versions of each Gateway Review could be produced: one, as usual, for the SRO and OGC and a filleted version for general publication.

115. When initially asked, John Cross, (then) DWP's interim CIO, told us that he could not see why a gateway could not be published.[234] But he later added:

The only interesting thing one would just have to think about is the issue of behaviours. A point which to us seems to be important is that there is an extremely open and honest culture within the organisation about declaring these needs openly. Sometimes organisations clam up if they feel there is a threat hanging around. I have come from organisations where the history was that you did not like to ever declare that anything was wrong because you thought that was a weakness, whereas actually, it ought to be a weakness if you do not declare that things are wrong. I am more concerned that we drive out an increasingly open awareness and ability for people to be able to say what they like about these things, because ultimately that is the only way. My one real worry is that if people became too concerned about the publicity over their declaration of concerns or issues, that this might dampen them. That would be my one counter to the question "Why wouldn't you? " It seems to me, in a sense, obvious, but on the other hand, you just have to worry a little about whether it drives the right behaviours in the lower levels of the organisation.[235]

116. There was some support for this argument from Sarah Arnott, who also suggested a middle way through. She told us:

However, for the Gateway process to work effectively it is necessary for it to remain confidential. The review process relies on absolute honesty on both sides, an openness which would be seriously compromised if the reports were to be subject to public scrutiny. The most advisable course would be a middle ground - the review process made mandatory, with more power to enforce the recommendations, and a published statement of some kind signed off by both parties to ensure the process has been undertaken with due diligence without publicising the details of the discussions.[236]

117. However, DWP was not even willing to consider publishing a summary version of Gateway Reviews. Its policy was put forward in written evidence:

It is not our policy to disclose Office of Government Commerce (OGC) review reports because to do so would impair the value added by the review process. That added value relies on a frank approach in which participants can have confidence in the confidentiality of the process. This applies irrespective of whether the assurance review is conducted by OGC, another outside organisation or internally, and irrespective of whether publication would be immediate or at some point in the future. The Department's policy is in line with OGC guidance on disclosure. It is not within the gift of the Department unilaterally to reverse that policy without review and debate of the policy led by OGC and across Departments.[237]

118. We note that OGC guidance does not provide for a blanket refusal to publish Gateway Reviews.[238] OGC guidance suggests that publication of reviews should be determined on the merits of each case. We asked the Department how Parliament could exercise its legitimate duty of scrutiny of the Department and its Agencies when the Department refused to publish any of the many reviews into projects, such as CSA. In response the Department defended the Government's decision not to publish Gateway Reviews and pointed out that the NAO had a clear responsibility to scrutinise the Department and that "a review of the Child Support Reform programme will almost certainly take place when implementation is complete."[239] We acknowledge the excellent work of the NAO. Indeed, in this report we have referred to some of the problems caused by defective IT that have been identified in successive NAO and PAC reports.[240] The NAO, as the guardian of the public purse, discharges its responsibility in a highly effective manner. However, and this is not a criticism of its skill and dedication, the NAO tends to undertake post evaluations on projects as part of its value for money studies or as an audit. Although its reports are presented to Parliament and published, they are generally historic, whereas we believe major IT projects should also be subject to close scrutiny during their development. Current projects need to be subject to current scrutiny. Parliament and the public should not be required to wait years after the planning decisions were made or problems emerged before they can get a detailed account of what has gone wrong. Parliament requires the opportunity to scrutinise such projects armed with relevant detailed information. The NAO produces 60 reviews per year and cannot fulfil the necessary scrutiny process unaided.

119. It was noticeable from the evidence that a number of other witnesses supported the case for OGC Gateway Reviews being published.[241] During oral evidence sessions, a number of major IT suppliers said that they would welcome publication of OGC Gateway Reviews, or had no problem with publication,[242] provided all major IT projects were treated equally.[243] For example, Kevin Saunders said that SchlumbergerSema would be happy for them to be published. He added:

I cannot see any problem that we would have with them being published, providing there is a clear understanding of the framework, obviously. I think the reviews would have to be perhaps even more tightly controlled in terms of the management and input to them but I cannot see why we would have a problem with publication because we have been through them, we know how they work and they make key decisions.[244]

120. We found it refreshing that major IT suppliers should be content for the reviews to be published. We welcome this approach. It struck us as very odd that of all the stakeholders, DWP should be the one which clings most enthusiastically to commercial confidentiality to justify non-disclosure of crucial information, even to Parliament. We were surprised also that there is little central guidance to departments for dealing with those circumstances when the commercial IT suppliers are content for information to be made available and departments cling to commercial confidentiality. As regards damaging the review process, Tony Collins made the valid point that perhaps the reviewers are too close. He told us:

If Gateway Reviewers believe the quality and rigour of their advice and work would suffer if their reviews were published, we would question whether they are too culturally close to those they are reviewing and therefore perhaps not be sufficiently independent and objective to reach the tough conclusions that Gateway Reviews sometimes demand.[245]

121. We are not convinced that the Gateway Review process is so fragile that the current levels of secrecy are necessary. We are genuinely sympathetic to any reasonable argument that justifies some material to be excluded from the published version of a Gateway Review, but in our view, the Government's objection to publishing Gateway Reviews is based on an untested assertion that publication would invalidate the review process. Publication of inspections and reviews is a widespread feature of public life nowadays and there is no reason why a major public IT projects costing millions of pounds, should not be subject to the same open scrutiny that applies in other areas of public life. This is especially true when the projects in question have such a long history of poor service. We recommend that the Government should publish Gateway Reviews with appropriate safeguards or failing that to set out how Parliament otherwise can be provided with the level of information it needs in order to scrutinise adequately questions of value for money from major IT contracts. In written evidence, DWP said that:

It is not within the gift of the Department unilaterally to reverse [OGC policy on disclosure] without review and debate of the policy led by OGC and across Departments.[246]

122. We recognise that, in effect, the Gateway Reviews are work-in-progress documents, which deal with a range of aspects in a project and that it may be too early to judge the full effect of the gateway process since few cases have been through the whole gated system. We also recognise that Gateway Reviews have a very limited shelf life and are likely to provide very limited information to Parliament, and that publication of Gateway Reviews may risk the review process. On the other hand, Parliament needs to be kept informed about these important areas of policy. If the present system is unequal to the task, then further measures are necessary. Below we consider the case for the Department publishing the business case of each project before considering the role of independent audits.[247]

123. In short, we believe that more openness is needed and in our view one way to achieve this would be to give parliamentary committees greater access to Gateway Reviews. In the event that the case against full publication of Gateway Reviews can be substantiated, we call upon the Department to provide a summary document of each review within 6 weeks of the review being completed. We consider that by providing more information to Parliament, Ministers and officials will be under corresponding pressure to be kept fully informed about projects.

124. It should be noted that departments also operate a less formal system of internal Gateway Reviews. In the case of DWP, these examine twenty to thirty areas for each project, rating them red, amber or green. Mr Martin Bellamy of the DWP told us that the internal Gateway Reviews were generally speedy and informal and involved the parties in straight talking, which he said could be quite constructive. His concern was that publication of the internal Gateway Reviews would prolong the process and make it more formal and less helpful to managers.[248]

Publishing business cases

125. One of the best ways of putting key information about an IT project into the public domain is for departments to publish the Outline Business Case (OBC) and Full Business Case (FBC) for each major IT project.[249] The OBC contains important information, including the economic case (value for money and economic benefits for the UK), financial case (the effect on an organisation's cash flow and balance sheet), and the management case (covering governance, management of risk and realisations of benefits with a special section on contingency planning). The Full Business Case (FBC) contains further details about the project, including the procurement strategy.

126. It is important to note that the process for producing OBC and FBC is a different process from that which applies to Gateway Reviews. Gateway Reviews are concerned with quality assurance, whereas OBC and FBC cover a range of issues including economic, managerial and financial arguments for the project that are of interest to Parliament. However, both OGC Gateway Reviews and business case models are linked. For example the OBC covers similar material as Gateways one and two whereas the FBC ties in with Gateways three to five.[250]

127. The advantage of publishing the OBC and FBC for each project is that they would, at an early phase, provide Parliament with most of the necessary information with which to assess the outcomes of the IT programmes and business transformation, while still protecting the Gateway Review process. It also places the onus on the Department rather than commercial organisations to provide the project planning. Joe Flanagan, who is a leading exponent of business case models, told us:

Properly prepared, these demonstrate that IT investments have been well scoped and planned; offer optimum value for money (£); are commercially viable; affordable and achievable. In other words, they contain 80% of the information requested by some commentators of current practice." [251]

128. Interestingly, it seems that a number of the major projects that are currently attracting critical questions, such as the CSA's CS2 computer programme and telephony system, have not had their business cases published. Indeed, DWP told us that it does not publish any business cases nor the supporting documentation on the grounds that they tend to be couched in highly technical and detailed terms and contain information that could, if published, damage the Department's onward programme of competitive supply.[252] In short, the familiar claims of commercial confidentiality. It is on this basis that the Department has withheld publication of the OBC and FBC for CS2 and the CSA's new telephony system. When we asked OGC for its policy on publishing business cases it replied:

OGC does not recommend routine publication of OBCs or FBCs. Departments need to consider each request for disclosure on an individual basis in line with their legal obligations and any appropriate guidance. Once the Freedom of Information Act takes full effect in 2005, departments will be legally obliged to confirm to an applicant the existence of and disclose OBCs and FBCs, unless an exemption under the Act applies.[253]

129. DWP's routine refusal to publish OBC and FBC is contrary to this guidance, which calls for departments to determine disclosure on an individual basis. The Department's policy is also at odds with the practice of some other departments. For example, the Department of Health (DoH), another department with a major IT modernisation underway, has a policy to publish information on business cases for all major projects. The DoH states:

The Strategic Outline Case (SOC) is an extremely important document, and will arouse considerable public interest. … all SOCs that are approved will be made publicly available by their respective Strategic Health Authorities in the same manner as OBCs and FBCs.[254]

We call upon the DWP to publish on its website the SOC, OBC and FBC for all its significant projects. We feel that publication should include, amongst other items, the supporting documentation, especially including that relating to the register of risks, how such risks are to be managed, the Department's contingency planning and how it proposes to realise the potential benefits. In our view, publication of OBC and the FBC would provide a strong disciplinary influence on departments to focus on the detailed planning of IT projects, especially at an early stage. Publication of the OBC and the FBC would provide Parliament and stakeholders generally with the necessary information with which to ensure that business managers are kept on their toes and would allow select committees such as ours to conduct detailed scrutiny into IT projects at any time during the project's life on the basis of detailed evidence. As the lead agency on procurement and the vehicle for disseminating best practice, we would hope OGC will be given a key role in monitoring the publication of OBC and FBC across Government. We also urge the Government to consider adding publication of the OBC and the FBC to OGC's list of mandatory actions that departments must follow. As formal evidence to Parliament, we believe that a summary of the Full Business Case should be included in the proposed IT Implementation Assessment (ITIA). We recommend that the DWP publish strategic, outline and full business cases together with relevant supporting information.

Publishing independent audits

130. During the course of our inquiry, Tony Collins made the case for IT projects to be subject to independent reviews. He suggested that the Arthur D Little audit of the (then) new air traffic control systems (New En Route Centre) at Swanwick in Hampshire was a good, but rare, example to follow. Although the audit was commissioned by the Government, the report was published by the Transport sub-Committee in 1998. The auditor, Arthur D Little, was appointed as a result of a competitive tender. Its report is generally viewed as providing a thorough analysis of the weaknesses in culture, management and accountability that contributed to the project being delayed and over budget. In the event, the report was thought to have led to many changes in the way the NATS project was run while also strengthening the processes of parliamentary accountability. When the report by Arthur D Little was published in 1999, the air traffic control system at Swanwick was already about three years late; a situation not dissimilar to that facing CSA. The control system was originally due to go live in 1996, but eventually did so in January 2002. Although it is rare for a report like the Arthur D Little audit to come into the public domain, we consider that such an independent audit could provide us with a good model for scrutinising major IT projects that are facing severe problems. John Cross (DWP) told us:

They [independent reviews] certainly are commissioned, and in fact, my own view about that is that we ought to have more regular, light-touch, independent reviews commissioned as part of the project. My own view about assurance is that I like to see independent value judgments being made as you go down any particular major project route.[255]

131. Other witnesses were doubtful about the benefit of independent reviews. For example, EDS told us that they saw little benefit in having an independent review towards the completion of a system.[256] Derek Ward (EDS) told us that it would be very difficult then for an independent body to get to grips with the risks and complexity and that a review at that stage is likely to be fairly shallow or trivial.[257] He added: "What you really want is assurance that the process is being followed properly through at earlier stages in the project, that you are actually aimed in the right direction, rather than wait till you have arrived and say, "Is this where we wanted to go?"[258]

132. We do not accept that such reviews would necessarily be cursory and of limited use. In written evidence, Edward Hasted pointed out that although hundreds of reports and inquiries had been written on trying to improve the success rate of IT projects, they had had little success.[259] He pointed out that compared with the low success rate of IT projects, such reports were published only infrequently. Edward Hasted recommended that reviews of all projects should be mandatory, irrespective of whether a project succeeded or failed: "if it failed we need to know what not to do. If it worked we need to find out why so we can repeat the success. "[260] We do not expect such auditing to pose a serious increase in the burden on project managers. But in cases where projects are in serious difficulty, it may be necessary to undertake in-depth reviews. The burden may be lightened if it is triggered by recommendations from the appropriate select committee or by some rule of thumb calculation, such as if a project is 20% over budget, 20% late or suffering significant loss of initial functionality. We consider that the case for independent audits, similar to the inquiry into NATS, is something that Parliament may wish to consider, if the Government does not provide Parliament with the necessary information.

Using the Freedom of Information Act (FOIA)

133. We asked some witnesses whether they were anticipating that the Freedom of Information Act (FOIA) would lead to more information being made available. In general, no witness thought FOIA would have any effect on the disclosure of information relating to IT projects. It was thought that exemptions would apply.[261] Equally, there was no evidence that FOIA was likely to put off suppliers from bidding for public sector contracts. Sheelagh Whittaker (EDS) told us that EDS was experienced in working under jurisdictions that operated freedom of information legislation and that the only test was to ensure that any claimed exceptions were genuinely commercial.[262]

134. Avi Silverman and Tony Collins cast doubt on departments being able to meet the terms of the FOIA in time.[263] Tony Collins also thought that there were enough exclusion clauses in the Act for it to make little difference to journalists.[264] The full provisions of the FOIA will start to come into effect in January 2005.[265] As a minimum, the FOIA will require departments and other public bodies to set out their disclosure policy. It is likely that the Information Commissioner and his tribunal will be requested to consider a number of disclosure requests relating to the secretive contractual deals that exist between departments, such as DWP, and their suppliers. Although FOIA contains provisions for disclosure to be denied on grounds of commercial confidentiality, it is important to note that such exemptions are subject to a public interest override. It remains to be seen to what extent the implementation of the FOIA will remove the unnecessary use of commercial confidentiality to obscure contractual deals.

135. We recommend that the Department by 1 October 2004 sets out how it proposes to deal with requests for detailed information on publicly funded IT projects from members of the public or other interested commercial organisations under the provisions of the Freedom of Information Act that come into effect in January 2005.

196 Q 184 Back

197 References are set out in annex two Back

198 The Cancellation of the Benefits Payment Card Project, HC 857 1999-2000, 18 August 2000. Back

199 Ev 111 Back

200 Thirty-First report of the Committee of Public Accounts, Tackling Benefit Fraud, HC 488, 2002-03 Back

201 A full list of references is given in annex 2. Back

202 Q 564 Back

203 Qq 197-9 Back

204 Q 199 Back

205 Ev 143 Back

206 23 October 2003, see OGC website Back

207 See Ev 131 Back