House of Commons - Environment, Food and Rural Affairs

Select Committee on Environment, Food and Rural Affairs Written Evidence

Memorandum submitted by Iosis Associates (RPA Sub 13)

INTRODUCTION

1. This paper is primarily a set of views on the general public sector problem of which the RPA fiasco is just one manifestation. In some sectors of public administration this paper applies to the whole of the UK, but in other sectors Scottish and Welsh devolution brings some mitigation to those member countries of the UK (that is clearly the case with Single Farm Payments).

THESIS AND INITIAL COMMENTS

2. The thesis of this paper is that:

(b) across the Civil Service, many Departments of State are not organised or equipped to implement and operate the major new or significantly enhanced methods of service delivery required by the Executive;

(d) the relationship between Departments of State and their Executive Agencies is not clear, and may well contribute to the failures and poor performance witnessed;

(e) deployment of the large scale systems, both organisational and technical, required for the new or significantly improved service delivery channels, is largely an engineering task, not simply an administrative one; and

3. Although not directly relevant to the EFRA Committee, the relationship between the ODPM and Local Authorities demonstrates initiatives and problems similar to those found between the Executive and the Departments of State. By contrast, the PTEs[7] and Transport for London have very different legal and governance regimes from those of the Local Authorities, and have been and continue to be very successful in service delivery—albeit at a significant financial cost.

4. First I must state that as far as Defra and the RPA are concerned, I am today an observer from a distance, albeit with a family interest in both rural affairs and government's oversight of the horticulture section of the food chain,[8] plus personal contact with growers and farmers at the local Farmer's Market and via a local butcher's shop where the owners also have a livestock farm. Thus, on the specific topic of the RPA and its SPS, my information comes almost entirely from published sources.[9] In other areas of public administration my experience includes a great deal of both direct and indirectcontact with the public sector, at both central and local government level, and currently I'm working with a small trade association for businesses specialising in ICT products and methods.

DEFRA'S RPA IN CONTEXT

5. Events have unfolded quickly since the RPA admitted that they were unable to make the bulk of the SPS payments by the promised end of March date or indeed make more than a small proportion of those payments. Unusual in this case, and very welcome, has been both Defra's quick response in shaking up the RPA and reorganising some of its people-centred processes, and also the positive input from the organisations representing the hard pressed recipients—in particular the input from NFU and CLA. Unusual, that is, by comparison with the response to other systemic failures in the public sector when "reform" agendas go awry or when transaction volumes rise beyond the capacity of "ancien regime" systems to cope with them. However, the recent response by Defra must not allow their long term massive failure of oversight of the RPA to be pushed into the background.

6. The RPA fiasco is not unique within the public sector—we can all list spectacular failures in a number of central government departments, but there are also programmes that suffer from one or more of:

(a) being baulked (eg Government Connect from ODPM),

(b) running very late (eg the Youth Justice systems),

(d) a troublesome launch (eg at end April 2006 the new VOSA MOT Certificate system),

7. I contend that there will be further failures or instances of poor performance (perhaps in the ID Card project) unless there is a process of "administrative process re-engineering" in the public sector to complement the "business process re-engineering" that has happened in many areas of commerce and industry. The seeds of that re-engineering have been sown, but often they do not germinate (there is none of the finance that they must feed on).

8. Fiascos such as that afflicting the RPA are not simply a result of failures in the present elected administration, for there were similar problems whose gestation was pre-1997, and perhaps the trend was there as far back as the 1980s when the rapidly growing capacity of IT systems brought the promise of automating much more public administration in a "win-win" manner: better services at lower cost. My own first contact with the EFRA Committee mentioned the similarities with the passport issuing fiasco in 1998, where a system planned at least three years before ran into difficulties in the face of rapidly increasing demand, just as the passport issuing staff were learning to use it. Arguably the new computer and printing systems installed for issuing passports were initially under-specified, ie they could not handle a high enough volume of applications, but at the same time managerial errors and a catastrophically timed policy change compounded the problem. For more information on the 1998 passport system problem see the Annex to this paper.

9. On the previous page the term "ancien regime" is used advisably, in an echo of a comment heard on 26 April 2006 on BBC Radio 4 in relation to the failure to deport foreign criminals when they are released from prison. It was said that two "Victorian" administrative systems (prison system and immigration service) had become overloaded and could neither expand nor adapt. Further explanations in the media showed that a manual records system was being used in the prisons, with a prisoner's file having to physically go with the prisoner as he or she is moved from goal to goal, and that in the last 10 years the number of foreign prisoners has increased from 3,000 to 10,000. That is an example where, as part of a natural process of using emerging Best Practice, a national IT system should have been installed to handle all prisoner records, linked to a deportation control system—after all, the Home Office handles both tasks.

10. It is worth noting that close to government there is a success story: the BBC has redesigned its programme production systems to deliver content equally over the broadcast networks and on-demand over the internet, and also to provide large amounts of supporting information and user response channels, in a coordinated manner, on its web sites.[11]

TOP-DOWN ANALYSIS

11. Any enquiry about a specific service delivery failure or inadequacy needs to look at:

(a) the linear relationship between the responsible persons in the Executive (a Secretary of State and his or her Ministers), the applicable Department of State, any involvement of an Executive Agency of that Department, and related suppliers of goods and services to the public sector, and

(b) all other intersecting relationships, both within UK government and external to it.

12. Overall, if we are to start to understand how and why multiple service delivery failures and inadequacies occur across broad swathes of government, it is common factors in the workings of government that have to be understood:

(a) commonality in the linear relationships from the Executive all the way through to suppliers, and

(b) commonality in the intersecting relationships, particularly with Cabinet Office and with the Treasury.

13. This paper is primarily about the common factors internal to UK (sometimes just English) government, but one common complication caused by an external relationship will be included: EC regulations changing during development of a service—the published material states that this affected the SPS.[12]

14. A Specific Policy for service delivery passes down the linear chain from the Executive all the way to suppliers. Such a Policy directly mandates delivery of a particular service or closely related group of services:

(a) In recent years, governments of both hues have made policy decisions (sometimes are required to make them because of EU legislation) that are implemented by way of large scale administrative systems. They may be completely new systems, or replacements for, or major changes to, existing systems. Typically the systems have significant IT or even ICT content, and are intended to process large volumes of transactions with either the public or business or both.

15. Analysis shows two classes of intersecting Policy:

(a) Realising that Specific Policies of the type described above will require new methods of working, and also realising that natural development in other areas of public administration (particularly in local government) will increasingly use ICT methods, the Executive has also made policy decisions relating to the methods to be used to develop and operate large administrative systems. These policy decisions are mediated through Cabinet Office before being passed on to the service delivery Departments. In this submission this type of Policy is known as a Supporting Policy.

(b) New developments of administrative systems and methods, or major changes to existing ones, require development funding and operational funding for "administrative process re-engineering". Here Financial Policy applies.

16. Each individual Government Minister has a clearly understood responsibility, whether as Secretary of State, etc, within Cabinet; or as a Minister within a Department. A Secretary of State and the associated departmental Ministers take a Specific Policy from Cabinet to the Department, and the Civil Servants have the duty to implement that Specific Policy—but individual Ministers do not dictate how their Department organises itself to implement the Policy.

17. Clearly the Civil Servants have a duty to keep Ministers advised on progress with both implementation and then operation of the service. And it should not matter whether implementation and operation is wholly within a Department, or is devolved to an Executive Agency.

18. Equally clearly there is a common problem across many Departments of State, leading to failure or to inadequate service delivery, with Ministers unable to avoid those problems and sometimes not knowing about them until too late. With the individual Departments of State wholly contained within the Civil Service, it has further become clear that an across the board change of methods of working by the Civil Service is required if the problems are to be resolved. However, it is that problem of methods of working in the Civil Service that has caused the development by the Executive of Supporting Policies; the vehicle used for this is the Cabinet Office, which takes on board a Supporting Policy so that its civil servants can add considerable technical content.

19. Note that Cabinet Office is both closely allied to the Cabinet and also carries some responsibility for the Civil Service—it is headed by the person who is both Cabinet Secretary and Head of the Home Civil Service. That is relevant to the core problem faced when trying to understand the problems of service delivery: Cabinet Office itself is likely to be afflicted with the problems that affect spending Department performance.

CABINET OFFICE AND SUPPORTING POLICIES

20. Two questions immediately arise:

(a) Are the civil servants in Cabinet Office themselves using methods of working that produce excellent results when developing Supporting Policies?

(b) Do those departments that are implementing Specific Policies also implement Supporting Policies?

21. On the Cabinet Office methods of working my experience is very variable:

(a) OGC work, resulting in publications on methods of working [2], is excellent as far as those publications go but it does not go far enough; also there is a very clear new draft Civil Service Code [3];

(c) development of common methods and components for secure transactions across the internet between citizens and businesses on the one hand and local or central govt servers on the other hand has not even started, due to a failure to consider information security and function together and a perceived lack of any relevant mandate;[15]

22. Cabinet Office itself provides a related, enabling service where IT and ICT methods are to be used for service delivery, and also has to ensure that related components are available from suppliers—this is the Government Gateway that is the interface to the government intranet to which central government servers are connected. GG is seriously flawed—it is accepted that it is a very good firewall, giving protection against attacks originating on the internet, but it is almost useless as a registration and authentication system for users of on-line services, and a request by Government Connect for it to be enhanced in order to provide a robust common registration and strong authentication system for local government officers has been rebuffed;[16]

23. In the list above the OGC work on methods of working and the CSIA Information Assurance work are most relevant to the current problems with service delivery. The GG problem can partially be mitigated on a department by department basis, albeit at a cost both financial and requiring diversion of scarce technical personnel. The lack of a common and secure transaction method across the internet will affects service not yet operational.

24. The OGC and CSIA outputs are just as applicable to the internal working methods within Cabinet Office as to those service delivery departments at which the Support Policies are directed, and the variable experience of Cabinet Office methods is directly related to the way in which different sections apply the Support Policies. OGC output can be summarised very briefly as:

(a) Do not do something unless you know what you are doing.

(b) Report truthfully and completely on your work, equally so for both positive and negative reports.

25. Personal experience of Cabinet Office handling of ICT matters (my direct experience ceased about a year ago but may be about to be renewed) was that there was a serious shortage of technical skills in Cabinet Office, and that nothing was being done about it.[17] Reports reaching me more recently suggest that the situation is still patchy.

26. As for the reporting of Cabinet Office ICT discussions in technical Working Groups, it is very difficult to know about that, but the notes of technical meetings at which external volunteers were present did not completely reflect the problems discussed. The impression given is that there is a deference culture which inhibits delivery of quality—and that is regularly echoed in the media as we hear calls for a change of culture throughout our public administration.

SERVICE DELIVERY DEPARTMENTS, SUPPORTING POLICIES AND FINANCIAL POLICY

27. Once we look at the effect of Supporting Policies on Departments of State trying to implement Specific Policies for delivery of services, the situation is very poor.

28. Personal experience of DfT is that the Information Assurance Support Policy does not trickle down to the rule books used by staff developing, or commissioning the development of, service delivery using ICT methods. However, recently DVLA has told me that it has implemented that Support Policy in its development of an on-line method for vehicle keepers and holders of driving licences to update their records on the DVLA's databases.

29. More generally, many of the problems with services are related to security failures and/or service quality failures. The Information Assurance Support Policy covers both information security and service quality, but is widely ignored or paid only lip service.

30. Behind the visible failures is often a failure to implement OGC Support Policies. Formal methods to manage development are simply not used or are inadequately deployed, deference is not replaced by the full and precise reporting required within an engineering project, and key personnel lack the necessary managerial and technical skills and knowledge.

MORE ON SUPPORT POLICIES

31. Support Policies are themselves inadequate, and necessary associated services have not been developed or encouraged to be created within the private sector:

(a) Support Policies do not embrace the need to consider information security and function together.

(b) Support Policies do not require the spending Departments to make the formal move to quality management certification (ISO 9000, etc).

(e) Model contracts have not been established.

32. The OGC Gateway review process, I'm told by an associate, doesn't mandate immediate remedial action when it finds problems, and nor does it revisit the project at frequent intervals until the remedial action is completed. Instead I believe that it allows the project to roll on, and at the next Gateway will check on the remedies to past failings—that is much too late.

33. Strongly linked to the failure of Support Policies is the failure of Financial Policy to provide the necessary investment funding for "administrative process re-engineering". Businesses can and do capitalise all costs associated with business process re-engineering, but there isn't an equivalent public sector method. Such costs are often very significant, incurred over one to two years but providing vital benefits for many years.

SPECIFICATION CHANGE

34. Specification change is regularly cited as the reason for delay and cost over-run. This can be split into two:

(a) The first is not wilful specification change, but a basic failure to develop a complete specification early in a development programme. Ian Watmore when Chief Information Officer in eGU spoke out about this, but was not able to do anything about it.

(b) True specification change, whether brought about by changes of UK policy, by reviews uncovering errors and omissions, or by updates emerging from the EC, is to be expected and must be allowed for. The type of project being considered here creates a single, unique system. For success the overall design of the project must emphasise modularity in the implementation, which I fear has not happened, and which generally will not be the way in which a major IT contractor operates unless specifically required to do so. The risk assessment process, if properly applied, will indicate areas of risk when specification changes arise, as well as assessing the risk that significant specification changes are going to arise; system design must be structured in a way that confines the impact of changes to self-contained areas.

EXECUTIVE AGENCIES

35. It is obvious that in the Defra/RPA case Ministers did not know what was happening in an Agency spun off from their Department—that is possibly also the case with other Departments that have Executive Agencies.

36. I confess that I do not understand how policy reaches an Executive Agency, but suspect that each Department has developed its own contractual relationships at this level—and that each Department also has its own reporting and oversight mechanisms for its Agency or Agencies. Support Policies must be applied to those relationships—which takes us back to the failure by Departments of State to implement Support Policies, updated where necessary.

SUPPLIERS

37. First, some of the Specification change material above applies to the relationship with suppliers.

38. Next, it is clear that often there is no attempt made to ensure that suppliers offering Best Practice are invited to bid for either advisory or implementation work. Too often existing suppliers with whom there are framework agreements or even existing contracts are the first ones considered when new developments are planned, and then a small list of already known suppliers might be compiled if the contract is a small one, even if they do not have and will not buy in the necessary expertise—this in my experience is particularly the case with technical advisory work. Even more particularly, as ICT methods (requiring Information Assurance and function to be given equal rank) are more and more required for service delivery, suppliers with expertise in those areas are ignored.[20] There are of course initiatives to try to improve access to government for smaller and specialist suppliers, and S-Cat and G-Cat are combined into Catalist, but personally I find these methods inappropriate to bridge the gap.

39. The hiring of suppliers and the contracts with them are at the end of the chain: get the methods of working right, ensure that personnel with the necessary skills and knowledge are in place, develop model contracts, and things should start to go right with suppliers. Note that I'm aware that the suppliers are not always without problems, but one intention of the Support Policies is to raise the skill levels in purchasing and in the management of the subsequent contract: a knowledgeable purchaser, coupled with in-process audit, will do wonders in this area.

REFERENCES

Security—e-Government Strategy Framework Policy and Guidelines Version 4.0.

Assurance—e-Government Strategy Framework Policy and Guidelines Version 2.0.

Registration and Authentication—e-Government Strategy Framework Policy and Guidelines Version 3.0.

Trust Services—e-Government Strategy Framework Policy and Guidelines Version 3.0.

Network Defence—e-Government Strategy Framework Policy and Guidelines Version 2.0.

HMG's Minimum Requirements for the Verification of the Identity of Individuals.

HMG's Minimum Requirements for the Verification of the Identity of Organisations.

Smart Cards Framework: Modernising Government: Framework for Information Age Government: Smart cards.

Also a new (November 2005) Information Assurance Governance Framework is available at http://www.cabinetoffice.gov.uk/csia/ia_governance

[2] OGC Successful Delivery Pocketbook at http://www.ogc.gov.uk/index.asp?id=1004620

[3] Draft new Civil Service Code at http://www.civilservice.gov.uk/civilservicecode

[4] Speech by Home Office Minister Andy Burnham at the Smart Cards and e-Government Conference promoted and hosted by the Social Market Foundation, 15 March 2006.

Although privacy of personal data is an essential component of the security of UK e-Gov functions (products and services), it is by no means the only component. Subjects such as quality of service, protection against all types of external threats, and proper registration of persons (eg as holders of secure tokens such as smart cards) are just as important. This study finds that e-Gov policy and guidelines encompass the complete spectrum of security requirements, but also finds that the documents are not sufficiently clear about the scope of application of the policy or about the reference standards and specifications (ISO/IEC 17799 and/or BS 7799 and/or other equivalent standards and specifications) to be used for assuring security. However, the authors believe that the intent is that policy shall be implemented across the whole of the public sector, including extending it to private sector suppliers of products and services.

Available at www.iosis.org/whitepapers/index.htm

Handle with care! It's now out of date.

[6] Speech by e-Govt Minister Jim Murphy at the Smart Cards and e-Government Conference promoted and hosted by the Social Market Foundation, 15 March 2006.

4 ICT is Information and Communications Technology, in which information security and function have equal rank. Back

5 Support Policies are developed within Cabinet Office. Back

6 A phrase coined by Prof Ohyama of Japan's METI in the context of the Japanese (voluntary) citizen registration smart card scheme. Back

7 Passenger Transport Executives. Back

8 From WWII to his retirement in 1971 my father worked for Ministry of Food and then MAFF, and at the end of his career was Regional Horticultural Marketing Inspector for Yorkshire and Lancashire. Back

9 Requests under FOI to the RPA have so far yielded only a confirmation of the list of information that I requested, and an enquiry to the CLA (Country Landowner and Business Association) is still awaiting a response. Back

10 www.itso.org.uk. Back

11 Notable, however, is that listener response to its Radio 4 news service is very difficult-there is no email address or web response page for the Newsroom-but the Today programme does have its own email address. By comparison, for Sky News (TV) there is simply news@sky.com Back

12 EC regulation problems are known to have affected at least one other Agency, namely the DVLA-but in that case there has been no immediate effect on the public or on businesses, although there may be "identity theft" problems later, plus additional costs to the public purse. Back

13 The documents were published in 2002-03; technology, and the Information Security standards (where DTI has been a consistent supporter and initially a prime mover), have moved on since then. Back

14 The speech [6] by e-Govt Minister Jim Murphy to the mid-March Smart Cards and e-Govt Conference organised by the Social Market Foundation refers, as does EC policy dating back at least five years. Back

15 Cabinet Office until February 2005 operated within its e-Government Unit a Smart Card Working Group that was only allowed to consider functional matters, when it should have been a joint group with CSIA; even on functional matters Cabinet Office declared itself unable to develop a transaction method for common use by the Departments of State and by Local Authorities-it had neither funding nor authority. This failure will seriously inhibit the proposed ID Card being "useful to citizens" [4]. Back