Good Governance - Effective use of IT

Written evidence submitted by Westminster City Council (IT 20)

1 PASC submission. Good Governance: the effective use of IT

1.1 Westminster City Council welcomes this inquiry into the way government develops IT policy and the strategy for implementation. Our start point is that both of these should not be limited to central government, as has been the case to date. Public service delivery spans local and central government, health, criminal justice and the voluntary sector and IT can be a core enabler but is often the blocker for successful and cost effective provision. Spend on ICT in the public is higher than it should be because procurement takes too long, too many instances of the same thing are bought, provision is too territorial, we do not engage effectively with the marketplace and we do not include technology as an integral part of transforming services often enough.

1.2 The UK is thought of as a leader in ICT adoption and use by other countries but they are catching up and will soon leave us behind if we do not keep pace with the seismic changes in the ICT marketplace through the move to cloud based managed services. In this age of austerity, we will need to embrace shared services and use ICT to make it possible, not entrench existing systems and structures further by cutting necessary investment and sweating legacy assets.

2 Q1: how well is technology policy co-ordinated across Government?

2.1 In my experience, whilst government is very good at defining technology policies it is not effective at ensuring it is implemented. Significant examples include data and interoperability standards, where policies were established and frameworks produced for adherence to those polices during 2001 to 2004, yet here we are with many interpretations of location mapping (especially addressing) and an ongoing headache with data compatibility between different line of business systems. The failure here sits squarely with a) internal compliance with data standards and b) acceptance of interoperability standards by systems providers.

2.2 A further area of disconnect is that between the various public sector realms of central government, local government, health and criminal justice. Whilst central government looks inwardly on many policies there is an expectation that the other sectors will comply with the demands placed on them. The best example of this has been the long running saga around Codes of Connection between various public sector ICT domains. Much of the compliance has been, and continues to be, based on high levels of security for handling restricted data and the technical standards have been based around network connectivity. The vast majority of public sector data is not highly classified and the material that is almost always resides in specific business applications where security has been set to meet compliance levels, rather than the entire network used by a public sector entity. This approach has generated significant cost over the last 3 years which could have been avoided if policies and standards had been developed in conjunction with the whole of Public Sector.

3 Q2: how effective are its governance arrangements

3.1 Effectiveness has been very limited, evidenced by continued project failures and disjointed decisions on major ICT investment decisions. These are disjointed on two levels: the first is by continuing with national infrastructure decisions being made at individual central government departmental level, missing opportunities to realize savings through convergence and consolidation. The second is by not having a strong enough link to the desired business outcome through the operational or policy lead responsible. Too often IT is viewed as a dark art or worse still something that will just deliver without needing to engage with the deliverers. Project sponsors should not be IT professionals. They need to be the outcome owner in totality with recognition that IT is just part of the puzzle.

3.2 The most recent example of this behavior is the government’s reaction to radical changes in the IT commercial landscape: the move to "Cloud computing" solutions. The government’s reaction to this has been dominated by the drive to establish the "G-Cloud" and a government Applications Store. Why try to replicate what the commercial market is already doing, especially given that much of government’s ICT provision is outsourced albeit through contracts that locked in legacy proprietary platforms and systems? Surely a more practical and lower cost approach would be to embrace the commercial shift and seek to use government buying power to maximize pricing on those new platforms? Security can be overlayed to address government concerns and resilience would be improved by moving away from dedicated government systems to much larger ubiquitous services. The question of geographical location, often quoted as one of the blockers to adopting commercial cloud offerings, is solely based on the fact that as long as public sector ICT remains internal to organizations the business case to build or adopt commercial offerings in the UK is undermined. In fact the UK is an attractive location for cloud hosting given its climate, political stability, network capability, global location, technical expertise and security. Government could be a catalyst for growth for that whole industry here.

4 Q3: have past lessons from NAO and OGC reviews been learnt and applied

4.1 This is patchy and the fact that we return to the same lessons around focus on outcome, ownership, leadership, financial management and supplier management tells us that cultural change around decision making and project management in relation to IT investments remains the same as it was over 20 years ago – left to technologists and put at arms length by the very businesses it is there to deliver for. That said there have been noticeable successes: vehicle excise duty online, census data (in recent years) and even some of the NPfIT projects, especially where clinicians were actively engaged.

4.2 Perhaps a new approach would be to examine why projects succeed and use those lessons to improve skills and governance?

5 Q4: How well is IT used in the design, delivery and improvement of public services

5.1 The relatively high costs of public sector IT in this space can be put down to the following issues:

· Long and complex procurement timelines, often much slower than the pace of technology change

· Project management focused on activities and deliverables against the original plan which may not stay aligned with changing business needs

· Dogmatic purchaser/provider relationships built around a point in time contract rather than a shared understanding of the outcomes

· Closed markets with few suppliers offering outdated solutions

· Disconnect between technology delivery and business need

5.2 All this can be resolved by the public sector becoming more agile, staying focused on what will come out of the end of a project and making sure that it remains relevant.

6 Q5: what role should IT play in a post bureaucratic age?

6.1 IT remains critical to the ability for the public sector to share information, move to self service, protect the now considerable digital assets we are responsible for and help services transform safely and effectively. It must not do this in isolation though. IT must also integrate with information governance to ensure both are developed and deployed in a way that protects the individual. Business leads must lead on outcomes and engage with IT towards a common goal, not leave the techies to come up with the IT answers.

6.2 The evidence of where this is successful rests in the adoption of mobile technologies by retail and other services across the private sector. Rapid development and deployment of web services for mobile devices are critical to gaining market share and essential for retained customer loyalty. The latter applies equally to the public sector, just renamed customer service. For these applications to succeed the whole supply chain is affected, from point of sale through to fulfillment. Therefore business leads, support engages and IT becomes the enabler and is integral to the project, not left to one side to come up with the answers.

7 Q6: what skills does government have and what are those it must develop in order to acquire IT capability

7.1 Government is not short of technicians. It is short of people who can define a business outcome and understand how IT can help enable it. On project and programme management, there is no shortage of PRINCE2 trained people but there is a shortage of project sponsors who are confident and competent enough to lead a change programme, with IT in it, through to delivery of what needs to change. Also lacking is strong commercial skills in managing supplier delivery and ensuring costs remain competitive and good value for live operational systems. It is here where costs remain static or even creep up through alleged inflationary pressures (odd in an industry where costs are constantly driven downwards by productisation and volume growth). Perhaps the greatest driver for increased cost and the risk of failure is the lack of understanding around the impact of legislative change on IT systems demands for new provision and upgrades.

7.2 The evidence base for these skills shortages is overwhelming: NPfIT and its ongoing relevance to a changing health industry and service; social care systems across the country being constantly revamped at significant cost thanks to regular legislative change; housing benefits systems across the country being changed annually due to procedural changes; RPI increases as standard in many ICT contracts; the ContactPoint and Identity management projects.

8 Q7: How well do current procurement policies and practices work?

8.1 In short, they work very badly. EU IT procurement often takes 2 years or more from start to finish, against an industry where solutions and products operate on a complete refresh and upgrade cycle of less than a year! The marketplace is also dominated by a small number of suppliers, in turn further dominated by an even smaller group in specific segments (health and social care, environment, tax and benefits, libraries and leisure, corporate systems, planning and education). This is not unique to the UK, with many European countries suffering the same stale market conditions. This stifles innovation and drives up cost at the expense of the buyer and end user. Changes under way in the IT industry do however provide scope to disrupt the current market through the adoption of total managed services, as those providers move to integrated people and technology based provision. This means the public sector will need to move away from buying IT in isolation and instead include it in more comprehensive service procurements and ongoing service provision.

8.2 Another area for improvement would be the establishment and adoption of more market specific framework agreements for services, enabling fewer procurement exercises and speeding up the timeline between specification and award.

9 Q8: what infrastructure, data or other assets does government need to own, or to control directly, in order to make effective use of IT?

9.1 We need to own very little. Government does need to retain key skills around:

· Technical design, to understand how information and transactional services are operating and to ensure they remain legally compliant around information management, financial control, investigation and access

· Security and configuration management for the same reason

· Service delivery management to ensure good value is delivered and competition remains healthy

· Strategic thinking, to understand the opportunities technology can offer and how they translate to the business of public service

9.2 Here will be areas of government where security considerations will necessitate retention of some assets but these are relatively small. The fact is that much of government’s ICT is already in the commercial environment, just not optimized for cost or delivery

10 Q9: How will public sector IT adapt to the new "ago of austerity"

10.1 There are two ways this can go:

a. Organisations will cut back their IT spend on business applications and core provision, not renewing existing systems and sweating the assets. Business change projects will struggle to secure invest to save funding where IT is concerned (typically the invest part) and as a result organizations will find it harder to enact change to deliver efficiencies, instead choosing to cut services

b. Public sector bodies will adopt shared services as the way to deliver savings through economies of scale and increased standardization. IT will be able to drive out some of those economies of scale but the real benefit will be in adoption of data standards and reduced customization of business systems, both areas where IT cost often double on projects.

10.2 The first will deliver some savings in IT but limit wider opportunities. The second will deliver considerably more savings in IT as well as enabling organisations to yield structural savings

11 Q10: How well does government take advantage of new technological developments and external expertise?

11.1 Much of government’s technology implementation is about 2 years behind where the industry is. The reasons are:

· The public sector needs to be able to engage with suppliers more openly than at present. Much has been said about establishing a "skunkworks" approach and it has merit, but only if it is sponsored and run by the supply side with clearly defined ground rules for public sector interaction. This will protect companies’ interest in being able to bid for subsequent public sector work based on collaborative development activity, something that is largely prevented by the fear of exclusion by perceived unfair advantage.

· Procurement rules drive timelines which are much longer than the refresh rate of technology itself, so by the time a solution is implemented it has been succeeded by newer versions. Framework agreements can alleviate this.

· Overly prescriptive security conditions limit adoption of newer technologies and limit data exchange. More proactive engagement with industry and greater adoption of risk based security can alleviate this.

12 Q11: How appropriate is the Government’s existing approach to information security, information assurance and privacy?

12.1 The expectation of government and the wider public sector is to protect citizen data and there is no room for compromise on this. That said, many of government’s security standards are excessive, the Code of Connection process and the Government Gateway being the best examples of security excess over usability and interoperability. There is a need to separate national defence/military demands from civil administration around security which may help to bring a more practical perspective to what is needed in the latter’s case.

12.2 Another change needed is a move to adoption of best practice around risk based security management. This is beginning to happen but there is an ongoing conflict between central government compliance standards based on hard wired solutions and risk based compliance which concentrates on policies, procedures and people.

13 Q12: How well does the UK compare to other countries with regard to government procurement and application of systems

13.1 The UK is certainly considered as a leader is some areas of ICT: the extent to which we outsource is much greater than that of the rest of Europe; our willingness to adopt new technologies around web services; our recent drive to take out cost as part of the austerity agenda; and our focus on information assurance.

13.2 Our approach on procurement and provisioning of ICT seems to be behind others. In Australia and elsewhere in the Asia Pacific region many governments have established arms length or joint venture organisations for the provisioning of ICT across government, either nationally or regionally. Many of these vehicles have been used in place of full outsourcing and they are able to bridge the purchaser/provider gap effectively around innovation.

13.3 The problem with closed markets and limited supply is universal, in part driven by the public sector in most countries electing to build purpose specific systems rather than adopting modular commercial products, although the move to ICT as a commodity through cloud services is already disrupting the market positively.

13.4 Security restrictions and lock-in around legacy systems are both universal problems for government.

January 2011