Good Governance - Effective use of IT

Written evidence submitted by The Institution of Engineering and Technology/The Royal Academy of Engineering (IT 50)


How well is technology policy co-ordinated across Government?


There are inter-departmental links in some areas, and in some cases, e.g. security, there are clear government-level leads. There are also specific initiatives to try to coordinate activities, e.g. a GCHQ hosted workshop on software development in government which attracted people from many government departments and agencies, including MoD and Ordnance Survey, and there is coordination of spectrum allocation. So far as we can see, however, such coordination is inconsistent across Government.

Co-ordination of technology policy has been the responsibility of the Departmental Chief Information Officers, working together on the inter-departmental CIO Council, which was chaired by Government CIO John Suffolk until his recent retirement from the post. We recommend that the Committee asks John Suffolk to give oral evidence on his experiences.

As of the 1st Feb 2011 Joe Harley CBE has been appointed Chief Information Officer for the UK Government . Two key policy documents relating to Government IT strategy, ‘Transformational Government enabled by IT’ (2005) and UK Government ICT Strategy (2009) appear to have been removed from the Cabinet Office website.

The policies developed by the CIO Council included common architectures for Departmental IT, and the G-Cloud. The rate of progress towards implementing these policies appears to be slow.

We are concerned that the departure of John Suffolk may mean that even the limited co-ordination provided by the CIO Council may decline or disappear entirely. This would be unfortunate, as the CIOs play an important role.

In addition to reinstating the CIO Council, there should be a computer scientist in the CIO community to advise on developments in the research pipeline with the potential to impact government IT systems beyond the horizon of current deployments. This will help to future-proof investments and to prepare Government for disruptive technologies ahead of time. This would be a similar role to Departmental Chief Scientific Advisers.

How effective are its governance arrangements?


The governance of Government procurement of IT appears somewhat weak. It relies on the existence of Senior Responsible Owners (SRO) and on the Gateway process of the Office of Government Commerce. However, this system is vulnerable because the SRO is likely to change at least once during any significant project and project overruns or failures can be attributed to suppliers, consultants, internal advisors or previous SROs.

The Gateway process would be more stringent if it were mandatory, were a truly independent process, and the reports of the process were published. The National Programme for IT in the NHS (NPfIT) adopted a modified Gateway process but external reviews were not carried out, despite advice that they would be useful.

However, the issue of governance is understood by Government and there are organisational structures in place to support it; the challenge is to make them effective across a very large and disparate organisation. It should be acknowledged that this is a significant challenge, having to span in-house IT and operational systems, some of them geographically dispersed. There are policies and procedures for basic compatibility, such as "network joining rules" for new equipment/systems, but much more limited capability at seeing the "joined up" or end-to-end IT picture, for example, how is benefit delivered from services which are built up by linking these systems. There tend to be initiatives in stove-piped areas, for example, there is work in one Government Department on safety of logistics IT systems, but this approach is being developed independently of other work on networked systems safety.

Have past lessons from NAO and OGC reviews about unsuccessful IT programmes been learnt and applied?


There appears to have been incremental improvement but no solution to the two major issues described under "How well do current procurement policies and practices work?" below.

In some Departments the lessons have been understood, although it is quite possible that similar problems will arise again. It appears that Departments respond to NAO reviews initially but without correcting systemic faults; a characteristic is for there to be occasional emphasis on particular programmes without a consistent overview and scrutiny of sufficient technical depth. Office of Government Commerce (OGC) processes are used and these seem to be quite effective for some of the systems procured; however they do not seem to be robust or searching enough for the more complex technical systems, and pressures of Government policies and timescales are too often allowed to override professional engineering judgement. NPfIT and the ID Card programme are recent examples.

How well is IT used in the design, delivery and improvement of public services?


IT seems to be considered late in the process of developing and implementing policy. Policy initiatives are developed, and timescales for delivery announced, without detailed consideration of the IT implications. The DECC/Ofgem Smart Metering programme is one recent example, where ambitious timescales have been set which do not leave sufficient time to develop systems that could deliver the policy goals effectively whilst taking into account system security and privacy issues.

The IET and the Academy have made the point in a number of forums that new public services are fundamentally business change projects, not purely IT projects, and that the cost and time required for the business changes will normally exceed the costs and time required to develop new IT systems. However, the Treasury Green Book does not require that these costs are properly analysed, and as a result they are often neglected or underestimated.

The use of IT and modern communications could be transformative, but this requires the development of strategic objectives and system architectures that transcend Departmental boundaries and budgets, even if the resulting services and systems are subsequently implemented in small steps following thorough prototyping and field trials.

We would like to stress the importance of small-scale trials and incremental roll-out of systems of the scale required by Government. It is clearly impossible to get a multi-million or -billion pound project completely right first time. A programme of ever more realistic prototypes and trials is essential. Incremental roll-out of Government projects may create elements of ‘post-code lottery’ in the provision of services; this should be addressed at a policy level as well as an engineering level.

For such an approach to be effective, however, it is essential to ensure that lessons learned from trials are applied to the subsequent development. The aim of the trial should be to identify problems with the system, so that it can be improved. Unfortunately, a combination of human nature and commercial incentives sometimes discourages this.

What role should IT play in a ‘post-bureaucratic age’?


IT offers the opportunity both to be more effective and more efficient, and there are many opportunities to improve Government systems. It is important that the benefits of using IT systems are fully explored by considering the opportunities and risks posed by the development of new IT systems early in the processes of policy development and implementation.

What skills does Government have and what are those it must develop in order to acquire IT capability?


The level of skill varies enormously across Government. In some areas there are still software development skills, but in most places IT systems and software are bought in. The skills required are therefore those necessary to enable civil servants to be intelligent customers and operators of systems, viz:

i) Requirements definition (and managing requirements creep);

ii) System and system-of-systems architecture (MoD, for example, retains overall responsibility for the integration and inter-operation of systems, although they buy-in individual systems);

iii) Systems integration;

iv) Cyber security including risk assessment;

v) Safety (some systems are safety-related or safety-critical, or have the potential to be so. An example is the Smart Grid being developed under DECC responsibility);

vi) Programme management;

vii) Programme/project risk management and trade-offs (often systems are challenging, and not all requirements can be met to time and budget, so trade-offs need to be made);

viii) Knowledge of commercial technology – some specifications make it hard to get benefits from commercial developments (and may preclude their use).

How well do current procurement policies and practices work?


There are successful programmes in many Departments, but cost and time overruns are quite common, and some serious problems, such as delaying major systems into service, have occurred. This remains a high risk to the implementation of Departmental policy and its ability to operate effectively.

There are two major faults that often hamper Government procurements of IT services. The first is that Departmental policies and timescales are often announced without detailed analysis of the practicality of introducing new technology by the dates required. The second is that there is always a risk that civil servants responsible for IT procurement will underestimate the timescales and true costs involved in implementing the IT systems required by a policy initiative, due to a variety of reasons or pressures.

The Academy and the IET proposed a solution to the second fault through the use of a two-stage procurement process in which the first stage would involve the use of a systems architect that would thoroughly explore the requirements and develop a comprehensive and consistent procurement specification. Discussion of this proposal can be found in our report The Challenges of Complex IT Projects at this location: news/publications/list/reports/Complex_IT_Projects.pdf.

What infrastructure, data or other assets does government need to own, or to control directly, in order to make effective use of IT?


There is no general answer to this question, which is perhaps best addressed from the point of view of design knowledge, more than infrastructure. More specifically, in each Department and across Government and the public sector, what aspects of the system architecture (and implementation) does the Government need to understand and control to deliver its policies?

Key to this is the system architecture in terms of data definition and provenance; security mechanisms; archiving and data storage; resilience mechanisms and so on. With an architectural perspective, it should become clear what elements of the system are critical to its success, and which do need control.

The US Department of Defence has a scheme whereby they identify critical components for which they need complete visibility and control of provenance (where developed, by whom, where manufactured, etc.) because compromises to these components could undermine the whole system. The UK government, or CPNI, may benefit from a similar process so it can identify those critical parts of their systems which require a greater level of control and management.

How will public sector IT adapt to the new ‘age of austerity’?


It may adapt badly. There is a risk that managers will make expedient decisions, cutting immediate costs, which store up significant and expensive problems further down the line.

One way to reduce expenditure would be by adopting more off the shelf solutions (ie software products) and reducing expenditure on bespoke systems and customization (ie software [consultancy] services). The positive outcomes of this would be that maintenance of systems built using off the shelf solutions is often provided by the supplier as an upgrade service to maintain the presence of the product in the market, and bugs get fixed as part of product improvement, helping reduce life time costs. Products also tend to migrate faster to new hardware platforms than bespoke systems, allowing cost reductions and additional capabilities from newer technologies to be exploited sooner. To be balanced against these advantages, products are rarely exact "solutions" to the business requirement and will usually require changes to business processes to those that the product supports. This is not always possible in public sector IT as the public sector has some unique requirements, though perhaps not as many as is sometimes thought.

Another effect of the reduction in budgets may be greater use of Open Source software, such as OpenOffice and Linux. This approach has the potential for significant savings but will require careful implementation planning and represents a cultural shift in the computing environment.

The new austerity may well accelerate the adoption of cloud computing by the public sector to reduce the capital costs of deploying a new system through not having to invest in building data centre capacity, and to gain the ability to scale up and down based on demand and budget. But for the public sector to export mission critical systems to the cloud, there are many challenges to be overcome: for example, finding cloud vendors who will support appropriate service level agreements, including dependability, and resolving data sovereignty issues when public sector data and applications are hosted offshore. Government needs to engage with the industry to develop policy in this area, so that the ‘G-Cloud’ can become a cost-effective reality.

It is essential that decisions are based on a through-life perspective, and Government departments should be prepared to cut back on their ambition and only do what they have the resources to do well. If they do not, then we are likely to see more project overruns or cancellations at very high cost to the taxpayer.

How well does Government take advantage of new technological developments and external expertise?


In our experience, this varies widely. A risk here is that Government is too dependent on external expertise, and lacks personnel with the skills to make the necessary informed decisions. Until it does change, there is a continuing risk of policy and strategic decisions being made that prove difficult and expensive to implement.

How appropriate is the Government’s existing approach to information security, information assurance and privacy?


This is a very complex area. The recent establishment of some national initiatives in cyber security is welcome and in this area we suspect the UK is ahead of most countries, other than the USA (with whom the UK collaborates fairly closely). Whilst there is much to be done – and combating cyber threats is an ongoing activity, not a project with a set end-date – the UK is on a good track in this area. The new initiatives, such as the Cyber Security Operations Centre, need to be given continued support as their mission will remain important.

Work is also needed to build a more integrated community in the UK, drawing on expertise in universities and industry as well as in Government. Some work is underway in this area, and it needs to be given time to come to fruition. The UK’s approach to information assurance is well-founded and pragmatic, and the work done by the Government Communications-Electronics Security Group (CESG) is sound and sensible. However more needs to be done to raise the awareness of the issues in the supply base, and setting up some equivalent to the US DHS’ "Build Security In" programme to engage UK industry in improving the standards of (secure) software development would be welcome.

A Secure Software Development Partnership has been established (with Technology Strategy Board support) and has developed a work programme, but this will need seed corn funding to make significant progress.

The UK approach to privacy is a major concern, as the UK Data Protection Act does not fully implement the European Directive, and the Information Commissioner’s Office lacks adequate technical expertise. This puts programmes such as the Smart Meters Rollout at serious and unnecessary risk.

How well does the UK compare to other countries with regard to government procurement and application of IT systems?


It is very difficult to make international comparisons, though there are examples of good practice overseas that the UK should consider adopting, such as the secondment of very senior technical experts into positions with real executive power.

February 2011