Good Governance - Effective use of IT

Written evidence submitted by EURIM (The Information Society Alliance) (IT 34)

1. EURIM (www.eurim.org.uk) is a policy research group concerned with the formation and scrutiny of legislation, regulation and government initiatives related to UK/EU competitiveness in the global information society and to the effective use of technology to serve society as a whole. It uses funding from its corporate and associate members to organise working groups of politicians, advisors, officials, industry (users as well as suppliers), professional bodies, trade associations and interest groups.

The main findings in the response are:

2. The pre-conditions for success and the causes of failure have been known for over 50 years but the short-term political and financial rewards for ignoring them are such that they are commonly ignored for projects that are large enough to require ministerial decisions and/or legislation.

3. Success requires clarity and continuity of purpose and responsibility, from the Minister, the Senior Responsible Owner and the programme managers (on both user and supplier sides), from initial planning, through procurement and project implementation to performance monitoring and acceptance testing.

4. Lack of clarity and continuity guarantees failure. In consequence many, perhaps most, projects are doomed before the implementation contracts have been awarded.

5. "Commercial confidentiality", other than during a competitive tendering process, rarely correlates with value for money. It is used to conceal lack of clarity of purpose, to reinforce departmental silos and to control the re-use of products and services already paid for by the public sector.

6. Much of Central Government no longer has the in-house skills to be an intelligent customer, or even to make effective use of consultants. Until these are rebuilt, including by using programmes of incremental change to give practical experience to the next generation of senior officials, any major programme is likely to fail.

7. Public sector systems are different - but not because of scale or complexity (both usually unnecessary). The main difference is that government cannot choose its customers. Also many of them have unpredictable needs. Success in meeting these leads to increased spend, not revenue.

A. How well is technology policy co-ordinated across Government?

8. There is little or no co-ordination of information technology policy across Government. There is confusion between the stimulation of new technologies and the effective use of existing technologies. The fragmented responsibilities for the management and use of publicly held information, as well as those for the technology systems to process it, reflect the silo structure of UK Central Government, with limited co-ordination of policy across departmental boundaries, other than by Cabinet Committee.

9. Policy should be technology neutral and focussed on outcomes and processes, not the mix of products and services used to support delivery. The latter evolve over time. In an ideal world the "policy" should be to require that the systems used to help deliver policy objectives are based on re-usable and interoperable modules which follow industry-recognised open standards. True interoperability also requires action at the managerial, legal and people process levels. It is not just a matter of technical standards.

B. How effective are its governance arrangements?

10. Governance arrangements are similarly fragmented, with policy proposals scrutinised, if at all, by Select Committees which reflect the structures of Whitehall, and with the Public Accounts Committee as long stop. The Gateway Review process, (professional peer review), was emasculated because of embarrassing reports on programmes which had strong political support.

11. Government subsequently failed to "get the message" when reputable suppliers like Lockheed Martin and IBM declined to bid for major contracts (MoD and Health) or, like Fujitsu or Atos Origin, withdrew when their parent companies refused to accept one-sided risk clauses.

12. Decades of outsourcing mean the skills of Central Government as an intelligent customer have been lost and need to be rebuilt. Major suppliers have run down their UK public sector skills, as new business has evaporated and existing operations have been moved off-shore. The solution entails harnessing the skills of Local Government (which has not outsourced to the same degree) and active participation in the professional development programmes of the relevant bodies (e.g. BCS, IET, CILIP) in co-operation with supplier trade associations (e.g. Intellect, UK Payments) and user interest groups (e.g. SOCITM). Such programmes should be run in co-operation with the National Audit Office, the Audit Commission (or its successor), the National School of Government and the National Archives (constitutionally responsible for "information" as opposed to "information technology" governance).

C. Have past lessons from NAO and OGC reviews about unsuccessful IT programmes been learnt and applied?

13. EURIM recently summarised these on one page http://www.eurim.org.uk/activities/pubproc/0909ProcurementSummary.pdf. but there is no sign that key messages, such as the need for clarity and continuity of purpose at the top, have been learned. "Strategic partnerships" are used as a substitute. The need to contractually separate programme planning, management and performance monitoring from project implementation is commonly ignored.

14. The governance, planning and monitoring structures for the DWP and HMRC systems to support the Universal Credit, and the proposals for scrutinising the legislation (both primary and secondary) provide a unique opportunity to demonstrate that the lessons have indeed been learned.

15. The White paper states: "Universal Credit will merge out-of-work benefits and in-work support ... For those in employment, Universal Credit will be calculated and delivered electronically, automatically adjusting credit payments according to monthly income reported through an upgraded version of the Pay As You Earn tax system (on which HM Revenue & Customs will be consulting shortly) ... This would involve an IT development of moderate scale, which the Department for Work and Pensions and its suppliers are confident of handling within budget and timescale ... ... Over the Spending Review period £2 billion has been set aside as part of the Department for Work and Pensions settlement to fund the implementation of the Universal Credit."

16. Basing the Universal Credit on a revamped PAYE system that will cope with the monthly income fluctuations of those who move in and out of employment is an ambition as laudable as that for the universally available on-line patient records that were to be the heart of the Health Service National Plan for IT. Success will entail following best practice in enlisting the support of the front-line practitioners in programmes of incremental change. Repeating the mistakes of the NpfIT risks enthusiasm turning to frustration and bitterness as problems surface during the run-up to the next General Election, instead of a gathering momentum as success breeds success.

D. How well is IT used in the design, delivery and improvement of public services?

17. IT is rarely used in the design and/or targetting of public services. We commonly "retrofit" IT to deliver a service that has been specified, in primary and secondary legislation, without testing how it is likely to work in practice. The untested specification is then put out to tender in an expensive ritual driven by consultants and lawyers paid according to time spent, or given to the incumbent contractors to implement without external scrutiny of value for money.

18. Policy initiatives should be subject to computer modelling during the design phase to see how they are likely to work in practice. Existing public records (tax and benefits) should be collated anonymously with private sector databases (e.g. credit reference and market research) to identify how many individuals or businesses will be affected. Those scrutinising legislation should have access to such simulations when debating the proposals and any suggested changes.

19. There is also a need to be much better at identifying and replicating good practice. For example many of the global electronic invoicing standards were developed in the UK but are still almost unused in the public sector - resulting in massive wasted effort and expense.

E. What role should IT play in a 'post-bureaucratic age'?

20. IT enables change. Attempts to use IT to drive change have unintended consequences. On-line services which are easy to use (like the on-line driving license renewal system), have rapid take-up. Those which are "as user friendly as cornered rat" do not. Many of those dependent on public services cannot use a conventional screen or keyboard and/or live in areas with poor on-line access. The biggest benefits therefore come from enabling those in the front-line of service delivery (e.g. carer, sub-post mistress, district nurse, citizens advice volunteer) to act as trusted intermediaries and make "right first time" entries to public sector systems. The resultant savings dwarf those to be gained from merging back offices or moving call centres off-shore. Achievement depends on response to user choice: of contact channel, intermediary and even of identity system.

F. What skills does Government have and what are those it must develop in order to acquire IT capability?

21. There is an immense reservoir of skills within the public sector as whole, if not central government. The most obvious gaps are at the top: beginning with the ability to define what success looks like. Then come the skills to be an "intelligent customer", particularly the relationship management skills to use simple "contracts" with alternative disputes resolution processes, so that all sides can focus on successful delivery rather than blame avoidance. Bodies like the London-based "Centre for Effective Disputes Resolution" lead the world in this area but their processes are almost unknown across the UK public sector.

G. How well do current procurement policies and practices work?

22. There are over 150 public sector procurement frameworks. Many cost more to create than the value of the business that flows through them. Most business flows through less than a dozen. The prices for the same product or service can vary by a factor of three, or more. The overheads (including royalties to those running the service and margins along the supply chain from prime contractor to subcontractors) can range from zero to over 70%.

23. The most efficient (including in the eyes of most of those submitting bids for business) appear to be organised by co-operatives of users concerned to get low price and a wide variety of choice, rather than to generate income from running the service. They levy little or no charge and follow continental interpretations of the EU procurement rules. Examples include those run by the Universities (JANET) and by the Grids for Learning: both can be used by others. They are unpopular with some of the main suppliers to central government because they commonly save 30 - 70% on list price. The Welsh procurement routines to enable IT and communications to be shared across previous silo boundaries also appear to give good value for money. There are particular problems with the procurement of security products and services, compounded by confusion as to what is current good practice and the inability to re-use accreditations.

24. Instead of creating a new centralised procurement regime it might be better to require publication of the price structures (bidding costs, overheads etc.) and performance (prices, throughput, quality of service) of current services, using measures relevant to those wishing to place business or bid for it. Barriers that prevent other public sector organisations from using the most cost effective should be removed. Those buying other than via the cheapest channel (including published catalogues like Viking Direct) should expect to be asked why (e.g. quality of service, local support, service levels etc.).

H. What infrastructure, data or other assets does government need to own, or to control directly, in order to make effective use of IT?

25. Not a lot. Most of the software used by government is supplied under license. Processing is increasingly on private sector data centres. Does Government "own" our personal data or is it merely a custodian?

26. Outsourcing is of most value when the needs are sufficiently predictable and the added efficiency of current and potential external suppliers sufficiently great, to outweigh the loss of flexibility and added financing costs. Efficient in-house IT departments and co-operatives of local government IT departments can, however, provide lower cost, more efficient and flexible services than most outside suppliers. This is especially so where open source material is re-used and pooled.

27. Sharing assets across public sector applications and/or with the private sector can enable improved quality of service and resilience: e.g. shared utility infrastructures (communications, power, gas, water and transport as well as data centres) with planned alternative routings to avoid potentially catastrophic single points of failure (e.g. the co-location of several major data and disaster recovery centres and communications hubs on an industrial estate next to the fuel depot at Buncefield).

28. There is an urgent need for a service to "map" the critical national infrastructure so that major users can be informed of their vulnerabilities and act accordingly. As society becomes ever more critically dependent on on-line systems, we cannot afford situations such as when the Ministry of Defence discovered, after a fire in a tunnel in Manchester, that contractually diverse routings passed through a single point of failure. Much of the UK public sector is currently dependent on systems which have only one back-up centre: most major financial services operations have three or four.

I. How will public sector IT adapt to the new 'age of austerity'?

29. Inflexible outsourcing and PFI contracts mean that central government is rarely able to follow local government or private sector good practice in organising "self funding" incremental economy programmes: for example rationalising server farms and duplicated communications networks or switching off systems that no longer serve any useful purpose, such as those to collect data for long dead ministerial initiatives. Some local authorities have been able to make further savings by co-operating with partners in joint services. Similar savings could often be made by local sharing with central government, health, education and welfare operations.

30. Equally significant is the potential for improving service while cutting costs by giving data mobiles to those delivering labour intensive services, e.g. community midwives, care workers or policemen (see example at http://uk.blackberry.com/newsroom/success/Portsmouth%20NHS%20(UK).pdf), so that they can update records, book actions or report incidents while with the patient or victim. The "pay back" (for example the reduced need for agency staff or overtime) can sometimes be achieved in days, not even months. The need is for budgeting and decision frameworks that encourage and reward such applications, especially if they fit within interoperability frameworks or replicate what has been shown to work elsewhere.

J. How well does Government take advantage of new technological developments and external expertise?

31. More time and money is spent hiring outside expertise (consultants) to look at new technologies than at what is being done better by other departments and agencies using existing technology. The need is not for more spend on benchmarking, but for rewards to those who re-use what is being done elsewhere, as well as those whose solutions are copied. Those who claim their needs are unique, so they cannot re-use what is done by others, should be made to feel embarrassed.

K. How appropriate is the Government's existing approach to information security, information assurance and privacy?

32. The existing approach is reactive, fragmented and government-centric. It does not focus on the secure and reliable provision of accurate and timely information to those who need it, when and where they do so. That requires attention to the quality and value of information, security by design routines that do not get in the way of customer service, and the identification of those who should have access, under what circumstances. There is also a need to address the "duty of care" to those whose data is being handled.

33. Government departments need to be able to trust each other’s routines, so that they can share data in reasonable confidence. They need to learn from the private sector, especially from financial services, which has been handling trusted transactions between those who have never met for thousands of years (e.g. notaries, scriveners, correspondence banking and international trade). It has also been done electronically (from cable authentication, through electronic data interchange, to internet protocols) for over 150 years.

L. EURIM has an active programme looking at these issues and has identified that:

34. Poor information management leads to inferior performance, higher costs, poor reputation and even loss of life: http://www.eurim.org.uk/activities/ig/0911-Value_Summary.pdf.

35. Society can no longer afford to rely on security by afterthought, it must be built into systems from the start: http://www.eurim.org.uk/activities/ig/1010-SbD_Summary.pdf.

36. Important though it is for Government to rationalise the many systems that it uses to identify its employees and contractors and for its dealings with citizens, residents and visitors (including to cut fraud and waste), it is even more important for the UK to have an information and identity governance regime that attracts global players who will base on-line operations in the UK. Otherwise we will be dependent on systems and governance regimes based in jurisdictions over which we have little or no influence: http://www.eurim.org.uk/activities/ig/1012-Identity_Governance.pdf.

37. That probably entails allowing citizens, as well as businesses, to decide who they trust to manage their identities, focussing political attention on the governance arrangements for interoperability between trust systems.

M. How well does the UK compare to other countries with regard to government procurement and application of IT systems?

38. The UK public sector is said to spend 30% more for equivalent IT systems. It is also said to cost 30% more to bid for UK government business. A EURIM comparison with Holland found they had few large projects and did more in-house work, using small contractors.

39. Scandinavian countries are often cited as models of good practice. Only Sweden has a population larger than Yorkshire. Most "nations" with populations greater than London have Federal Constitutions. The largest US states (e.g. California and New York), are among the worst performing with regard to IT. Our problems are related to the centralisation of decisions within national silos that believe their needs require unique, large scale, and therefore high risk, solutions. A recent comparison of the English and Scottish (and rest of the EU) approaches to Farm Payments http://www.eurim.org.uk/activities/psd/ScottishSingleFarmPaymentExample.pdf illustrates this.

January 2011