Good Governance - Effective use of IT

Written evidence submitted by Dextrous Web (IT 42)

1. How well is technology policy co-ordinated across Government?

This short question covers a broad and diverse set of issues. We will respond at three levels: at the standards level, at the project and programme level, and at that of day-to-day infrastructure and operations.

In terms of the definition of standards, Government will always face a dilemma: specify loosely and risk failing to deliver any standardisation at all, or specify tightly and restrict innovation and in the worst cases, distort a fair market for technology equipment and services. We are referring here to policy for the application of industry standards to Government business, not to the setting of distinct standards just for Government. Government should clearly be represented at the standards table, but as far as possible avoid establishing its own. Policies such as the GIF show that this response can be effective, and, at least at the generic whole-of-government level, this is reasonably fit for purpose.

At the level of projects and programmes, things are more problematic. We have seen examples where policy, although nominally set across government as a whole, is routinely subverted or ignored in its application at Departmental and Agency level. To pick on two specific examples: policy to converge all citizen and business-facing website content to two principal channels was clear enough. But enthusiasm for its application in practice has been harder to find. Whether such a broad-brush policy was well-founded in the first place is arguable, but it seems evident that coordination of its application could only go so far; it did not extend to mandation. The use of the Government Gateway to provide some consistency of user experience at the front end of transactions has also been patchy. This is an example of a policy with cross-departmental intent, but at the practical level, local decisions about specific registration mechanisms have almost always been dominant.

In terms of infrastructure and operations, our perception is that technology policy is not particularly well-coordinated. Nor, given the range and scale of government's activities, should it be overly centrally managed. But to address the question at a local level, too often policies either seem to be made up on the fly, or to be missing in certain crucial areas. User experience is a good example where policy is patchy or lacking. And in a world of increasing digital participation and engagement of audiences beyond the traditional, "technical" community, this will cause problems if not addressed.

2. How effective are its governance arrangements?

A detailed answer to this question requires a knowledge of governance structures beyond that which is apparent to us in our activities as an external supplier to government. This tells its own story, to some extent, of course. There is some awareness of the activities of the CTO Council, and we welcome the renewed openness that this governance body and the Transparency Board, in particular, are displaying – but we are not in a position to comment in detail on how governance as a whole is working in practice, other than to reflect on the points made in Question 1 about examples where policy stalls in its implementation – evidence which suggests weakness in governance.

3. Have past lessons from NAO and OGC reviews about unsuccessful IT programmes been learnt and applied?

A detailed answer to this question requires analysis of specific reviews in detail against their impact on subsequent services. Within the timescales set for this call for evidence we have not conducted a specific review. However, we make the general point that it is inexcusable not to publish such reviews in full, without redaction, in every case. If lessons are truly to be learnt, and those responsible to be held to account, we expect a far greater commitment to openness.

The recent publication of a heavily redacted report on the National Programme for IT in the NHS is an excellent illustration of this, and the need to do better.

4. How well is IT used in the design, delivery and improvement of public services?

Again, a broad question which in the time available we can only answer with reference to some specific circumstances.

Generally, IT is poorly used. Projects are regularly over-specified and implementation takes too long. Contractual restrictions and excessively bureaucratic change control mean that lessons learned during development are often not applied – for fear of increasing cost or missing deadlines – resulting in poorer quality in deliverables, poorer outcomes, and poor value for money. A more agile and flexible approach is sorely needed to avoid technology solutions becoming handicapped from the outset.

Our suggestion in response to this embraces several points:

· Better understanding of the actual requirement: the conceptual models that sit behind the issue that technology is intended to address. Greater rigour at this stage may set projects on firmer ground from the start.

· Engagement of user perspectives; whether the public at large, a specific targeted audience, and/or the internal users of government technology. Failure to base solutions on real user need, rather than perceived need, to take into account embedded knowledge within a service about how it really works, and to engage those who will actually use a solution are been highlighted time and time again as contributing to IT's failure to improve public services

· Ensure the skills to carry out this analysis, and to provide adequate challenge to a policy or ministerial direction where appropriate, are readily available. We will not rush to the conclusion that they must be provided in-house: in some areas this will not maximise value. But if they are sourced externally the incentives to deliver, reliable, accurate, objective advice must be absolutely aligned with the needs of government, not with any potential solution or external provider of solutions.

5. What role should IT play in a post-bureaucratic age?

If we take a thumbnail definition of post-bureaucratic as meaning "faster, more transparent and less reliant on established process", IT clearly has the potential to play a hugely important role. It increases engagement, if offers openness, and it disintermediates. But if we are truly to adopt post-bureaucratic principles we might usefully begin by addressing the bureaucracy that surrounds IT specification and adoption itself.

Too often we see IT projects thoughtlessly commissioned from an existing provider of services under a long-term, generalist, infrastructure-based contract. There are some sound reasons why such long-term services have been set up, but in a world of increasing technical modularity and interoperation, we expect far more scope for imaginative and creative sourcing. Your network provider might not be the best provider for your website. Nor are there the same technical reasons that might have prevailed 15 years ago as to why it would reduce your risk.

The key word is 'agility': being able to move fast, reflect volatile requirements, and ensure interoperation with existing systems and providers is a sign of being truly post-bureaucratic.

6. What skills does Government have and what are those it must develop in order to acquire IT capability?

We have not been able to conduct any form of skills audit, or to find skills information of this nature openly published in a format for analysis. However, we have referred in our response to Q4 to some of the skills that are required.

7. How well do current procurement policies and practices work?

Much of what we have said in response to Q5 above applies here: current procurement is bureaucratic. In an attempt to reduce risk, greater risk and poorer value can result: from bundling technology into ever-greater packages; from a lack of finesse in the differences between issues such as development and ongoing operation; and from favouring incumbent providers over new ones, even when the services being procured are far from traditional.

In what can sometimes be a dominant focus on ancillary policies, such as environment, or trading record, we see the risk of excluding truly agile innovators who will mitigate risk not by showing evidence of how they have done things (in largely the same way) for many years, but through new measures, such as agility of development, and the manageability of work packaged into smaller, more flexible units.

We strongly recommend the investigation and adoption of some of these new assessments of a preferred supplier: namely flexibility, freedom to innovate, scalability, modularity, interoperation, use of standards, and commitment to openness.

8. What infrastructure, data or other assets does government need to own, or to control directly, in order to make effective use of IT?

In terms of absolute need for infrastructure and other technology assets, very little. Many infrastructural services and assets are now commodities. Outsourcing is long-established and reasonably well-understood. Assurance of external services is similarly a mature discipline. Bearing in mind the value of having a body of internal expertise in IT, it seems sensible to ensure that skills are developed and enhanced through the ready access to technology for testing and learning, and where this can be free of association with any particular external supplier, so much the better.

Data is a slightly different matter. Government creates, collects, and to a large extent, owns, data – by definition. To retain trust in data and its validity, its data assurance role is important. Its willingness to publish its data openly in raw formats is equally welcomed. Particular problems arise however in terms of "operational data" - the real-time reflection of the services that government provides, facilitates and commissions. This is some of the most valuable data that exists – with the most potential to support transformational new service development through the use of IT. And yet this data remains locked behind contractual walls – either with a view that its release would lead to commercial compromise and market destabilisation, or simple that release-and-publish mechanisms just haven't been built into the contract, and can't be without expensive (and unprioritised) changes.

Therefore we consider that the development of "contracting for data" as a discipline would provide enormous benefits in terms of more effective future use of IT.

9. How will public sector IT adapt to the new "age of austerity"?

This is hard to predict. There are a number of possible outcomes, not all of which are beneficial, nor co-existent. We may see a winding-back from all discretionary projects, in which the pilot, the experimental and the innovative will be badly hit. We may see a retrenchment to "lowest common denominator" infrastructure, trading usability and performance for cost reduction and perceived reductions in

the risk of change. We may see radical business transformation – entirely rethinking the way services work in order to transform their cost base or the way they interact with and serve their users. We very much hope for examples of the latter. Applied carefully, with good preparation and scalable, agile methods, technology – as part of overall service design – has much to offer in an age of austerity.

Setting aside some of the traditional, "heavy-duty", ways of working and embracing fresh approaches from new suppliers should be extremely attractive at this time. As well as being less bureaucratic, refreshing the way technology is approached could actually be triggered by reduction in available budget to continue doing things in the same old ways.

We have already seen some movement from the supplier community in response to tightening of budgets for external expertise, above and beyond the round of supplier cost reduction led from the Cabinet Office itself. A large consultancy provider has made much of its forthcoming "donation" of services to government technology projects, and we are aware of recent competitions where price has ceased to differentiate – all bidders eager to maintain relationships and continue programmes even if operating at a short-term loss.

We are strongly critical of this consequence of austerity. Short-term savings will be balanced in the longer-term as suppliers recover their costs, and in the meantime the ability of smaller innovators to enter this market (with any semblance of fair competition) will be hampered. We feel that government must show its commitment to securing the right services at a fair price, rather than pursuing short-term reductions with a potentially negative overall effect.

10. How well does Government take advantage of new technological developments and external expertise?

On the question of new technological developments we have some concerns. Innovation is seen as a sporadic activity, rather than a culture. Isolated examples of innovation units are welcome, and the new government skunkworks has some potential (as do the projects fostered by those such as the Technology Strategy Board), but the lack of a consistent focus on research and development in its own right is worrying. Merely naming one chapter of a major tender response "Tell us how you would bring innovation" isn't enough.

On the question of external expertise we have significant concerns. The culture of using external guidance at all stages of conception of a technology project has frequently led to a blurring of responsibilities and interests. In the worst examples, we have seen extensive planning and development conducted with no meaningful civil service presence at all. As we noted in our answer to Q4 we make no general presumption that in-house skills will always be best, but we feel there is scope for observing better separation of interests when using external expertise to provide client-side advice. Drawing on established systems integrator organisations to provide senior external Gateway reviewers can limit the credibility and transparency with which such reviews are perceived.

11. How appropriate is the Government's existing approach to information security, information assurance and privacy?

Inevitably, detailed information on these areas is not widely and openly available (for obvious reasons), and sufficient analysis has not been possible within the timescale of this call for evidence.

We make the general observation, however, that the information security and assurance processes applied seem cumbersome: with little visible evidence that they are keeping pace with changing risks and development approaches. Government's security requirements also vary significantly in their interpretation between departments, and are not well-aligned to those of the NHS or local authorities. Their complexity is a significant barrier to entry for SMEs wishing to enter technology-focussed contracts with government, who must rely on a small pool of CESG accredited advisers – whose rates are beyond the means of many organisations – for knowledge and information critical to the success of a bid.

The consistent application of information security and assurance methodologies to something of the nature of an agile development process is also unclear.

12. How well does the UK compare to other countries with regard to government procurement and application of IT systems?

We have not responded to this question. Sufficient analysis of international comparators has not been possible within the timescale of this call for evidence.

January 2011