Select Committee on Science and Technology Sixth Report


6  The treatment of risk

Treatment of risk

112. The identity cards scheme faces a range of risks including technological problems, vulnerability of information, physical damage to systems, time delays and escalating costs. Given the potential for severe damage to public confidence in the scheme if these risks are not mitigated successfully, risk management is a key component of the scheme. The importance of risk management in large-scale ICT projects like the identity cards programme cannot be underestimated. The UK Computing Research Committee has stated that "poor risk analysis and risk management is repeatedly identified as a significant factor in the failure of public sector IT-enabled business change projects".[233] The LSE has noted that "the accumulated independent evidence on large complex IT projects is that they have been and always will be high risk in terms of implementation and unanticipated costs".[234]

113. The evidence that we have received from external organisations in relation to the Home Office's approach to risk management has varied. Qinetiq stated that "it is our view that the programme still contains considerable risk at this stage of procurement".[235] The LSE went further and asserted that "there is a significant risk that the technology will never work well enough in practice for a large-scale public domain application, and large amounts of money will be lost if this is discovered too late in the project".[236] However, other groups have disagreed. The British Computer Society (BCS) has said that "within the ID arena [risk analysis] seems to have been successful" and the National Physical Laboratory has affirmed that "risk is being appropriately considered".[237]

114. The Home Office has asserted that it is following best practice with regard to risk management. The Identity and Passport Service Programme Control Office Risk Management team is embedded in the identity cards programme and its policy draws on advice from the Office of Government Commerce Management of Risk, the HM Treasury Orange Book, the Institute of Risk Management and the Government Communications Head Quarters (GCHQ).[238] This policy involves identifying all risks as early as possible and providing them with a named owner, who is given advice by a risk manager. The owner assesses the probability of the risk occurring and its likely impact on budget and schedule. This information is entered into a programme risk tool that calculates an overall score, which it uses to prioritise the risk. The risk owner then decides how to approach the risk, for example transferring it, tolerating it, terminating it or treating it. If possible, the risk is mitigated. The details of these risks and their mitigation are entered into a risk register.[239]

115. As part of this risk management strategy, the Home Office also undertakes contingency planning. The Home Office has told us in response to written questions that "Contingency planning is not done for every risk but will be done, in line with accepted practice, chiefly based on the severity of the post-mitigation status and overall risk score for the risk".[240] The Home Office appears to be confident in this process. The Minister, Joan Ryan said that "I am not anticipating something major that would completely delay or derail the programme".[241]

116. Despite repeated requests from the Chairman of this Committee to view the relevant sections of the risk register in confidence, the Home Office has not granted us sight of the risk register because of its sensitivity at this stage in the programme. The Minister, Joan Ryan, said that "there are potential confidentiality issues around parts of the risk register and obviously, at the point we go into procurement, this is crucial."[242] Instead, on 10 July 2006 the Home Office provided presentations that gave an overview of their approach to risk management and used examples of risk management from within the programme (see paragraph 5). These examples give us a level of confidence in the Home Office's risk management strategy but we note that we only discussed a selection of risks. We were surprised that the Home Office was not content for us to list the examples that we discussed, even without reference to risk level or risk treatment.[243] We do not believe that the Home Office's caution on this occasion was justified and the incident exemplifies the closed nature of the identity cards programme. The Home Office has provided us with details of the risk management strategy within the identity cards programme. However we are disappointed that the Chairman was not allowed to view the risk register in confidence. In the light of the evidence provided to us, we are somewhat reassured by the Home Office's risk management strategy. Any delay to the procurement process will postpone the treatment of various risks. We seek assurance that the timing of the procurement process will be considered in relation to risk management.

117. We note concerns from external bodies that highlight that information regarding risk management within the identity cards programme has not been made public. Microsoft has stated that "during the present phase of consultation the risk model has not been made publicly available".[244] We accept that the Home Office may not wish to make the exact risks encountered by the project public for security reasons. However, we think that the identity card programme could benefit from a wide-ranging discussion regarding risk management strategy before entering the procurement process. We recommend that the Home Office make details of its risk model public and that it takes steps to ensure that advice regarding risk management can feed into that model.

118. The identity cards programme has undertaken several Office of Government Commerce Gateway (OGC) Reviews. These Reviews independently examine acquisition programmes and procurement projects at critical stages in their lifecycle. There are five OGC Gateway Reviews during the project lifecycle: three before contracts are awarded and two focusing on service implementation. The OGC Gateway Review 0 is a programme-only review that is repeated throughout the programme's life and it can be applied to policy implementation, business change or other types of delivery.[245] The House of Commons Public Accounts Committee undertook an inquiry in November 2005 on the OGC Gateway Review process. It found that the process had succeeded in "bringing more rigorous scrutiny and oversight to IT-enabled programmes and projects, and providing the means to highlight risks sufficiently early for senior management to take recovery action".[246] As a consequence, we have confidence in the Gateway Review process. The identity cards programme has undertaken the following reviews:

Gateway Zero (Strategic Assessment) completed 30 January 2004

Gateway One (Business Justification) completed 18 July 2005

Gateway Zero (Strategic Assessment) completed 14 January 2006

Gateway Two (Procurement Strategy) completed 11 April 2006

119. We acknowledge that these reviews remain confidential in order to ensure that participants are fully open regarding the actions that are needed in order for a programme to proceed to the next stage.[247] However, outside the programme the lack of information regarding the Gateway Review process has generated concern, which has been heightened by recent press reports containing information from the OGC.[248] The Local Authority Smartcard Standards e-Organisation (LASSeO) has stated that "presumably the project has been through some kind of gateway process but this remains unclear outside the project".[249] We recommend that an overall indication of the outcomes of the OGC Gateway Reviews, but no specifics, be made public in order to increase confidence in the scheme.

120. One of the serious risks faced by the identity cards project is that time pressures will prevail and the scheme will be rolled-out before it is ready. We have already described the Home Office's incremental, cautious approach to the scheme (see paragraph 10). The Minister, Joan Ryan said in oral evidence that "I do not feel I am running this according to some political deadline".[250] We are concerned however that earlier in the same session she said that "What we have been told is that there is a desire, and a strong desire, to see ID cards towards the end of 2008-09 being issued".[251] Moreover the Home Secretary, Rt Hon John Reid MP said to the House of Commons on 11 July 2006 that "I reaffirm our commitment to the introduction of those [identity cards] as rapidly as possible".[252] If a deadline is strongly desired, the Home Office might alter its currently cautious approach as the deadline approached and in doing so, place the success of the scheme at risk. We also note that as the end of the current Parliament approaches, political pressure upon the scheme may increase. It is important that the impact of a politically-imposed deadline will not override the impact of scientific advice or evidence on the readiness of the scheme and we seek reassurance from the Government on this point.

121. In relation to biometrics, one of the key risks faced by the scheme is the presentation of false biometrics, "spoofing" (see paragraph 19). The Home Office acknowledged in written evidence that "It may be impossible to prevent applicants falsifying (spoofing) their biometrics. This risk can be mitigated through analysing the threat posed and designing the correct detection processes and by ensuring that the deterrent regime is appropriate".[253] Furthermore, the Home Office has stated that the identity cards programme team is working with experts from the Communications Electronics Security Group (CESG), the National Physical Laboratory and independent specialists.[254] They have also reassured us that resistance against spoofing will be part of any biometric testing during the procurement process.

122. Whilst biometrics obviously involve risks such as spoofing or unreliability of verification, it is important that the Home Office does not just focus on this field because it is an emerging technology. Dr Tony Mansfield from the National Physical Laboratory told us that "There seems to have been a focus on the biometric element as being the most technical and perhaps least understood element of the whole scheme, and to my mind assuming that is where all the risks lie is totally incorrect".[255] With regard to the identity cards scheme, it must be recognised that the ICT system, as well as the biometric technologies, involves risks. We emphasise that the cost of failure of this project would be great and the Home Office cannot afford to be complacent regarding any aspect of risk management. We emphasise the importance of the development of an holistic approach to risk management in order to ensure that focus on biometrics as an emerging technology does not detract attention from other aspects of the scheme.

ICT system

SYSTEM ARCHITECTURE

123. Large-scale ICT projects are generally considered to be high-risk and numerous reports have highlighted problems with schemes similar to the identity cards programme. The Royal Academy of Engineering and British Computer Society Report, The Challenges of Complex IT Projects, said "it is alarming that significant numbers of complex software and IT projects still fail to deliver key benefits on time and to target cost and specification".[256] The Public Accounts Committee Report, Achieving Value for Money in the Delivery of Public Services, said that "IT projects have over the last ten years been prone to significant problems which the Committee believe should have been avoided".[257] The Home Office has been associated with computer projects such as the police national computer, the UKPS ICT project and the asylum seeker processing system that have drawn criticism in the past.

124. In oral evidence however, several witnesses emphasised that the risk of a major ICT system going wrong could be mitigated and we note that several schemes such as the DVLA online car tax system or the HM Revenue and Customs online tax return system have been successful following some initial problems. Professor Martyn Thomas said that "UKCRC is increasingly frustrated by the fact that major IT procurements go wrong for entirely avoidable reasons".[258] Dave Birch from Consult Hyperion also said that "We get a lot of criticism about all of these projects continuously going wrong […] It is not just because we are IT people; it is because of the way these things are approached".[259]

125. The Home Office's current approach is to allow industry flexibility in producing a solution. In oral evidence Katherine Courtney said that the identity cards programme team is choosing "to focus on the outcomes we are trying to achieve and not dictate to the industry what the technical architecture should be".[260] The Minister, Joan Ryan, also explained that the technology that is developed through procurement will be driven by the outcomes required by the scheme. She denied that the Home Office would be hostage to the market, saying that in the first phase when prototypes or pilots are produced the market will bear the risk.[261] This approach presumes firstly that industry will be able to deliver an appropriate solution and secondly that the Home Office and its consultants have sufficient expertise to judge between the solutions proposed by industry. We are concerned that the Home Office may be leaving the design of the scheme up to the market, because it lacks the scientific expertise to be an intelligent customer. In oral evidence, Nigel Seed acknowledged "we are not the experts in the technology; they are".[262] Furthermore, the Minister, Joan Ryan said to us that "The private sector suppliers are the experts in developing the technology. We want to use their expertise and continually stretch them throughout the procurement process".[263] This issue has been raised in written evidence by Peter Tomlinson from Iosis Associates who states that "procurement by the public sector of ICT systems and services is today largely in the hands of people without expertise in this technology area, whereas until the early 1990s public sector purchasers of IT systems generally had the expertise".[264] It was echoed in oral evidence by Dave Birch from Consult Hyperion who said that "you have people who are, frankly, scientists giving evidence to people who are, frankly, not".[265]

126. Although the Home Office has said that it will leave the solution to industry, industry representatives have expressed uncertainty regarding the extent to which the scheme will be prescriptive. Nick Kalisperas argued that "If you just say, 'We are going to leave it to the market' that is just too broad. There has to be the outlines of a specification there".[266] Dave Birch disagreed, saying that "It is not being left up to the market; it is in fact very prescriptive. It is already decided that there will be a smart card. It is already decided that there will be a register".[267] Jerry Fishenden from Microsoft responded that "there is something contradictory happening here" and noted that "the proof will be when the procurement documents come out and we can see how outcome-based it is and how prescriptive or not the actual procurement intends to be".[268] Either a non-prescriptive or prescriptive approach is valid as long as the Home Office makes its intentions clear. The apparent contradiction between the Home Office's assertions and its actions is causing confusion, which as already explained has been exacerbated by a lack of clarity regarding the terminology surrounding procurement (paragraph 46). We are disappointed that confusion regarding the specification of the scheme has arisen and we are concerned that, as mentioned earlier, the Home Office has not seemed to want to engage with industry regarding the architecture of the scheme before releasing the specifications (paragraph 30). Industry is hoping that the commencement of procurement and the release of specifications will clarify the Home Office's position. Once the specifications have been released, we urge the Home Office to take steps to ensure that the specifications, requirements and risks have been clearly understood by all involved.

127. The evidence has highlighted that in complex ICT schemes, it is best practice to develop a system architecture for the scheme as soon as possible. Professor Martyn Thomas from the UKCRC explained in oral evidence that:

"in the same way as an architect sits between the client who wants a new major building, and works out with the client what the requirements will be, how the business will be affected by the new system that is being procured, in exactly the same way, you could have a system architect come in for major IT systems, to work in a very technical way with the potential suppliers but in a very business-oriented way with the client and do the translation, so that the architect would capture the business requirements and turn them into a very rigorous specification because they would be put out for competitive procurement."[269]

128. The written evidence submitted by the UKCRC said that "Systems Architects would be people with advanced skills in adopting rigorous approaches to software development and project evaluation".[270] Professor Thomas expanded upon this point in oral evidence, explaining that "system architects would typically come from the innovative smaller companies that are using the more advanced technology by doing things like requirements' analysis".[271] The points raised by Professor Thomas have previously been outlined by the British Computer Society and the Royal Academy of Engineering report on The Challenges of Complex IT Projects.[272] This report emphasised that a systems architect should provide an overview of the technical structure of a scheme without detailing its implementation. It stressed that an effective IT architecture should be flexible, scalable and evolvable. Thus, the notion of setting an architecture for a scheme does not exclude a competitive and innovative procurement process. Furthermore, this approach overcomes the problems that can be faced by a department that lacks the right level of skills. Intellect has said that "system requirements that are inadequately explained and thought through in the procurement specification or changed during the process create an unacceptable burden, especially for smaller suppliers".[273]

129. We have not received clear evidence that the Home Office has considered this approach in ICT, although we note that a similar approach is being used in relation to business aspects of the scheme.[274] The Home Office has said that it is using a "modular IT architecture design approach" but has provided little more information.[275] In response to written questions, the Home Office has said that it is working with Qinetiq to explore "model technical architectures which are tolerant of high data volumes and variations in data volumes".[276] However, it also notes that neither the scope of this project nor its timescale are finalised. The Home Office is reliant on external expertise in the area of ICT and is unable to act as an intelligent customer of scientific advice. We recommend that the Home Office uses a senior and experienced systems architect to advise on the specifications and to provide support during the procurement process.

SECURITY

130. The Government claims that the National Identity Register will be highly secure. In oral evidence to us, Katherine Courtney said that "I was intent on having the best security advice possible, and so we brought in not only the government security advisers but also other independent security advisers to work with us on this".[277] She emphasised that the scheme was already part of the critical national infrastructure and as such, it was being accredited by the Government's security advisers.[278]

131. Security is a key aspect of the identity cards scheme. Having your credit card stolen is different from having your identity stolen; one can be rescinded and replaced, the other cannot. Professor Martyn Thomas explained to us that:

"If you start then tying authentication into biometrics which cannot be changed if they are compromised, then if you start getting those stolen electronically and using them for remote authentication, customer-not-present type authentication, you will create a security nightmare where somebody's biometrics are no longer available to them to authenticate themselves for the rest of their lives."[279]

This difference raises the stakes, it changes the security landscape and impacts upon the risk mitigation processes.

132. As already discussed, the Home Office has emphasised that the system may not necessarily be one database (see paragraph 22). Katherine Courtney explained that it "is an assumption that there is one database. We have not predetermined the architecture of this system".[280] Nigel Seed clarified the point by saying that "If industry comes back and says one single monolithic database is the best way and it meets all the requirements then there may be one database. Equally, they could come back and say the security is increased by having partial data here and partial data elsewhere".[281] The solution proposed by industry will have to meet the requirements of the security accreditors.[282]

133. There have been numerous assertions that a single database would increase vulnerability and risk. The UK Computing Research Committee (UKCRC) said in evidence to the Home Affairs Committee, "if you create either a single card that has multi functions or a single database then you are adding to the nation's critical infrastructure unnecessarily and by doing that you are making a very large range of services, probably a growing range of services, vulnerable to a single attack".[283] Jerry Fishenden, National Technology Officer at Microsoft has also been reported as saying that "putting a comprehensive set of personal data in one place produces a honeypot effect—a highly attractive and richly rewarding target for criminals".[284]

134. Furthermore, we have received evidence that in order to decrease risk and increase security the solution should be based on systems already in use. Intellect has stated in written evidence that "It is industry's belief that the Government's proposed ID Cards Scheme should be built on technology and business processes that have been proven in existing implementations around the world."[285]

135. We recommend that the Home Office give the security properties of the solution a very high priority, not only from the point of view of being trustworthy but also to ensure that the security features do not adversely impact upon the operation of the scheme. Furthermore, we suggest that if possible, the solution should be based on security architectures, technology and processes that are already in use.


233   Ev 76 Back

234   Ev 90 Back

235   Ev 86 Back

236   Ev 91 Back

237   Ev 82, 110 Back

238   Ev 118 Back

239   Ev 123 Back

240   Ev 123 Back

241   Q 1175 Back

242   Q 1161 Back

243   Ev 129 Back

244   Ev 127 Back

245   OGC Gateway Review 0: Strategic assessment, www.ogc.gov.uk  Back

246   House of Commons Public Accounts Committee, Twenty-Seventh Report of 2004-05, The impact of the Office of Government Commerce's Initiative on the delivery of major IT-enabled projects, HC 555, p 1 Back

247   Ev 115 Back

248   "E-mails from Whitehall officials in charge of ID cards", The Sunday Times, 9 July 2006 Back

249   Ev 94 Back

250   Q 1174 Back

251   Q 1159 Back

252   HC Deb, 11 July 2006, col 1324 Back

253   Ev 51 Back

254   Ev 60 Back

255   Q 553 Back

256   Royal Academy of Engineering & British Computer Society, The Challenges of Complex IT Projects, April 2004, p 4 Back

257   Public Accounts Select Committee, Seventeenth Report of Session 2005-06, Achieving Value for Money in the Delivery of Public Services, HC 742, p 11 Back

258   Q 488 (Thomas) Back

259   Q 488 (Birch) Back

260   Q 270 Back

261   Q 1151 Back

262   Q 276 Back

263   Q 1150 Back

264   Ev 98 Back

265   Q 486 Back

266   Q 489 (Kalisperas) Back

267   Q 489 (Birch) Back

268   Q 489 (Fishenden) Back

269   Q 487 Back

270   Ev 75  Back

271   Q 487 Back

272   Royal Academy of Engineering and British Computer Society, The Challenges of Complex IT Projects, April 2004, p 22 Back

273   Ev 104  Back

274   Cabinet Office, Person Specification IPS Chief Business Architect, May 2006 Back

275   Ev 118 Back

276   Ev 114 Back

277   Q 305 Back

278   As above Back

279   Q 489 (Thomas) Back

280   Q 345 Back

281   Q 349 Back

282   Q 351 (Bloomfield) Back

283   Home Affairs Select Committee, Identity Cards, p 22 Back

284   Gerri Peev, "ID Cards will lead to 'massive fraud'", The Scotsman, 18 October 2005 Back

285   Ev 91 Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2006
Prepared 4 August 2006