Good Governance - Effective Use of IT

Additional written evidence submitted by Hewlett Packard (IT 64)

1. Introduction 

 

On 23rd March, Craig Wilson and Howard Hughes from Hewlett Packard gave evidence to the Public Administration Select Committee’s enquiry into the Effective use of IT.

During the course of this session a number of requests were made by members of the committee for further information. This document provides notes in response to these questions as a supplement to both the verbal evidence given by HP and the written submission made in January 2011.

2. Cost of desktops in Local and Central Government 

 

In questioning HP, Mr Bernard Jenkin mentioned a recent report by the Network for the Post-Bureaucratic Age which suggested that unit costs in central Government were typically higher than in local Government. He asked HP for its view on why a workstation in local Government costs only half what it costs in Central Government, and whose fault this might be.

2.1. Basic Purchase Costs

HP can confirm that it would not expect to see any significant variance in the basic price paid by local government and central government organisations for a device of the same specification. Indeed an analysis of the typical costs involved in provision by HP of the core desktop product reveals only minor difference between supply to central and local Government clients, with the lower price being paid by central Government. For example, under two supply arrangements we have examined for the provision of the same model of PC of a broadly similar specification, the device is sold into the supply chain by HP at £356 to central government and £372 to local government. The differences between these prices are a reflection of some minor differences in specification and different volumes purchased under each arrangement.

2.2. The Network for the Bureaucratic Age Report

Our understanding is that the report cited by Mr Jenkin is "Better for less: How to make Government IT deliver savings", published in September 2010.

We note that the comparison drawn in this report is between the costs achieved by a single local council (the Royal Borough of Windsor and Maidenhead, which states that its cost per device is £345 per annum as noted in an internal council document) and a range of central government departments where the cost per device ranges from £800 to £1,600 per annum. The report goes on to say that this second set of figures is "not publicly available but was calculated after analysis of a number of let contracts and we have been re-assured by reputable, senior government sources as to its accuracy."

Whilst a cost of £345 per year is a good baseline for a local authority, it is not possible from comparison of a single well performing local council and a range of un-named central Government departments to conclude that any variance is completely unjustified. Any objective comparison must address the question of whether the requirements or contractual terms are the same in each case (in the examples above, they are almost certainly not).

In practice, there may be a number of reasons why the price might vary between different organisations. The price of a "managed workstation" will typically be made up of a number of components, including the basic purchase cost of the device itself, charges associated with configuring it to meet a given organisation’s needs (including additional software or facilities required to meet security requirements), plus charges associated with provision of shared facilities such as email services and ongoing support (e.g. helpdesk services and IMACs - Install, Move, Add, Change). The nature of these charges vary significantly between different contracts, depending on the type of work undertaken by the users of the workstations and the specifications demanded by the commissioning organisation.

2.3. Security Requirements

The "Better for Less" report states that "the difference in cost cannot be explained by additional security requirements in central government". It then goes on to suggest that much of the current security practice is in effect unwarranted, specifically that the rules set out by the Government’s own computer security experts, CESG. It suggests that "Security has become a smokescreen behind which Whitehall and the Communications Electronics Security Group hide a multitude of objectives, groundless policy decisions or poor system implementations". It concludes that "For systems operating at 'CONFIDENTIAL’ or below - which covers the vast majority of government IT - commercial security techniques and tools can offer effective information assurance without the unacceptable overheads."

The report in effect draws two connected but different conclusions on this topic – firstly that the security requirements which are currently enforced when supplying desktop services to central government drive significant additional cost, and second, that many of these requirements are unwarranted.

Firstly the question that security drives additional cost. This is undoubtedly true. The principles of IT security as they apply to the UK Public Sector are defined in the Cabinet Office’s Security Policy Framework (SPF). The SPF defines "mandatory security policy requirements that all departments and agencies must meet". It then goes on to set out that it should be "extended, where necessary, to any organisations working on behalf of, or handling HMG assets, such as Non-Departmental Public Bodies, contractors, emergency services, devolved administrations, Local Authorities". Compliance with the SPF for example, may require that software used must have been verified and approved by CESG, they may demand the use of "two-factor" security controls (e.g. using both a password and a physical token such as a smart card), they may lead to a requirement for additional security networking hardware to isolate systems from the Internet or other organisational networks, they may proscribe that certain controls are placed over support staff who have access to the system (e.g. they may require clearance). They will almost certainly require that any system designs are subject to a complex accreditation process.

HP’s experience is that whilst central Government departments do comply with these mandatory policies, adherence within Local Government organisations is somewhat less consistent. This can be justified in part by the fact that the threat profiles to the two types of organisation are very different and in some cases that the sort of information systems they operate and data they hold are different – demanding less stringent controls. Nevertheless, because of the different security practices adopted, there are requirements which do appear when providing desktop services to Central Government organisations which drive additional cost when compared with those which occur in Local Government – and hence contribute to a price differential between the two types of organisation.

Second, the question of whether the additional controls are unwarranted. This is a somewhat more controversial statement. It is true that the security requirements placed by Central Government departments are at a level beyond that encountered in many (but by no means all) commercial organisations. However, the nature of Government organisations does unquestionably make them a more attractive target for those (whether domestic or foreign) with malicious intent. It is also the case that Government organisations tend to hold data which, by its nature is more sensitive – regarding people’s health, financial status, criminal records and so on. Finally, whilst in general citizens have a choice of private sector provider (and could change provider if they were not happy with the security provisions made by them), they generally have no real choice of Government, and as a result, it can be argued that Government owes a greater duty of care to protect the information it holds.

There may be a case that significant quantities of the data held by Government organisations tends to be Protectively Marked at higher levels than it truly requires (and hence could be held on systems with less stringent security requirements). However, HP is also under no doubt that that the threats faced by Government information systems are increasingly complex, occur with increasing frequency, and that the repercussions, as more public services rely on IT, are increasingly serious.

Ultimately HP believes that one of the responsibilities of Government organisations in acting as an intelligent client (both collectively and as individual departments) is to develop an informed view of the threats that might face them, and the level of protection required in their IT systems that they believe those threats warrant. They then have a responsibility to ensure that the suppliers from whom they purchase products and services are complying with these requirements.

2.4. Variance in other contractual terms

One final potential factor which should not be overlooked when comparing the costs of different desktop services is variance in the prevailing commercial terms and conditions which apply. Many of HP’s contracts with Government have, in the past, contained very different terms and pricing models for the provision of desktop services. For example, one contract may cover just the provision of the desktop, software and a support service, with the associated network being the subject of a separate contract with another supplier. Another department may have a contract which bundles the networking costs with workstation provision.

Similarly, it is not unusual to find, particularly in older contracts, that what may appear as a "per workstation" charge is also used to recover the costs associated with the provision of other services. These can include bespoke business application systems, document management or collaboration software, printers or even fixed line or mobile telephones. Given that the "Better for less" report states that the data on central government desktop prices was "not publicly available but was calculated after analysis of a number of let contracts" it is difficult to provide an objective view on the extent to which this type of commercial construct might contribute to the variance. However, we would acknowledge that gathering data about IT spend and comparing like with like in this field is not straightforward, as has been pointed out, both by the Minister for the Cabinet Office in his evidence to the committee, and by others who have examined the issue, such as Dr Martin Read, who undertook the Operational Efficiency Review into Government ICT for the previous Government.

2.5. Conclusion on workstation pricing

HP would agree that there is often much redundant customisation in the provision of workstation services to the public sector, and that purchasing decisions have not always been made in a way which properly leverages the Government’s purchasing power. HP’s experience is that economies of scale continue to be gained by pooling the provision of workstation services at levels up to between 30,000 and 50,000 seats, depending on the complexity of the underlying infrastructure and the extent to which the user populations are distributed.

Buying such services on behalf of individual organisations with considerably fewer seats than this cannot reasonably be described as cost efficient. Similarly, buying on behalf of individual business units who themselves have requirements for smaller numbers of devices despite forming part of a larger organisation (as has historically often been the case, particularly in smaller departments with multiple NDPBs or agencies) is a practice which cannot be justified in terms of improved value for money. The Government could take steps to improve the cost-efficiency in the procurement of managed workstation services by pooling the purchasing power of smaller departments through more proactive use of framework contracts such as "Desktop/21". HP is one of three suppliers present on this framework, which has set price points available to any public sector organisation, which are closer to those at the bottom end of the comparison in the "Better for Less" report, despite being designed to meet the security requirements of Central Government organisations.

3. HP’s use of Open Source in Government Contracts 

 

During HP’s evidence to the committee, Mr Robert Halfon asked whether a note could be provided on how much work HP does with Open Source.

3.1. HP’s commitment to Open Source

HP has a longstanding and wide-ranging commitment to the use of Open Source technologies, as illustrated by the following points:

· HP is the world’s leading supplier of Linux-based server hardware and has been for eleven years.

· HP has developed software management tools to allow customers to integrate Linux platforms alongside systems running on proprietary operating systems.

· HP employs thousands of developers working on Open Source software and is an active sponsor of key organisations and events in the Open Source community. HP has donated its own Intellectual Property to help Open Source initiatives get off the ground.

· HP is the only major printer company to have made all of its Printer Drivers (more than 1,900) fully Open Source.

· HP is leading global efforts to develop Common Operating Environments (COEs) for Linux, and to develop what’s known as "Carrier Grade" Linux, suitable for use in the Telecoms industry.

· HP is successfully delivering Open Source solutions for Governments elsewhere in the world. We deploy Linux-based solutions for the US Government, and have undertaken a programme to migrate the Brazilian Navy’s HR, Payroll and Accounting Systems off a Mainframe onto an Open Source platform running Oracle.

3.2. HP’s use of Open Source in its UK Government Contracts

In most of our Government contracts, it is the Departments themselves who maintain responsibility for technology strategy and selecting the principal software products that they wish to deploy in their businesses. HP is actively working with its Government clients to exploit Open Source products where appropriate, and indeed Open Source software is already used extensively by HP across its central Government accounts in the UK.

It is however not practicable to provide a breakdown of the commercial value of this work. Open Source software is almost never used in isolation from commercial products, and the costs associated with implementing the "Open Source" components of a given project are therefore impossible to separate from those associated with implementing the proprietary parts. Nevertheless, we are able to provide an indication of the typical Open Source products and tools in use across our key Government contracts, to indicate the purpose to which they are put and the business areas in which some of them are used.

3.3. Incentives for HP to promote Open Source

During the session, Mr Halfon also suggested that it was in HP’s interest to discourage Open Source as a mechanism for ensuring clients are tied in to HP’s own software. We feel it important to put on record that we do not accept that premise, for two principal reasons:

Firstly whilst it is true that HP does have a software business, the majority of the proprietary software deployed in the course of our government outsourcing contracts is provided by other vendors and simply resold by HP at very low margin or bought directly by our government clients. Where it is resold, the act of including significant revenue from software sales at low margin in an HP contract only serves to dilute the overall profit margin which HP makes, and would typically be something that the company would seek to avoid. There is therefore no financial incentive in HP’s services contracts to promote proprietary software products where Open Source equivalents would lead to improved value for money to our public sector clients.

Second, whilst Open Source software typically has a lower acquisition price when compared with the equivalent proprietary software, it typically demands greater effort to integrate the various components to meet a given business requirement. In this regard therefore, HP’s interests could be regarded as being better served by the promotion of Open Source, as its use would lead to greater demand for services to effect a successful implementation.

In practice however, HP’s experience is that on any given project, the overall difference in costs between a proprietary and Open Source solution are marginal – the additional costs for proprietary software being offset by the additional cost of integration effort for Open Source solutions. As HP’s Craig Wilson stated in our verbal evidence, the overall picture is mixed, with some requirements better suited to Open Source, and others to proprietary software. Where the difference is marginal, our view would be that the decision about which route to adopt should be taken on the basis of risk. As the Committee will recognise, projects which involve the development of a lot of custom-written integration software are not usually compatible with the lowest risk.

4. The role played by SMEs in HP’s supply chain 

 

Mr de Bois questioned HP regarding the proportion of its Government revenue which is subcontracted to SMEs and the processes by which SME subcontractors are engaged.

4.1. Proportion of Government revenues subcontracted to SMEs

HP’s Craig Wilson stated in his evidence that more than 30% of HP’s government revenue is subcontracted to partners of all sizes and offered a follow-up note confirming the value of work which is subcontracted to SMEs.

HMRC’s definition of a Small or Medium Enterprise (SME) is a company with fewer than 500 employees, turnover of not more than 100 million Euros and a balance sheet of not more than 86 million Euros.

Based on this definition we have been able to identify 394 SME subcontractors which were used in the delivery of our UK Government business during the HP financial year ending 31st October 2010. During this year, £110 million of work was subcontracted to these SMEs in the discharge of our UK Government contracts.

4.2. HP’s work with SMEs

HP believes that SMEs have an important and increasing role to play in the delivery of IT services to Government. Globally HP works with around 160,000 different SME partners. In the UK, HP works with SMEs in many areas of its business. More than half of HP’s hardware sales, for example, go through an 8,000 strong SME network. This distribution channel accounts for over 16,000 SME jobs in the UK.

HP recognises the benefits of working with SMEs in terms of the speed, agility and innovation they offer. Our business is heavily dependent on our partnerships with SMEs both in delivering our products to market and in fulfilling our public and private sector contracts.

4.3. Becoming an SME partner of HP

HP is keen to engage with SMEs and actively seeks opportunities to work with them. We try to avoid creating barriers to SMEs working with us and believe that in many cases it is more practical for SMEs to engage in the delivery of public sector contracts as subcontractors to HP than by contracting directly with Government.

Prime contractors can provide a contractual and commercial gateway for SMEs and third sector organisations that allow them to work with bigger Government departments without going through the formal procurement process, which can be a costly, time-consuming and, for smaller companies, risky activity. In seeking to work with SMEs, prime contractors can adopt accelerated tendering processes that owe more to the procurement mechanisms found in commercial contracts than usual government ones. SMEs can further benefit from working as a subcontractor to HP in delivering government work because typically, when subcontracting to SMEs, we would not seek to flow down all the more onerous requirements of public sector contract terms to our suppliers.

4.3.1. HP’s Developer and Solution Partner Programme

To provide a mechanism for SMEs to work with HP, we run a programme called the Developer and Solution Partner Programme (DSPP). The DSPP is designed for Independent Software Vendors (ISVs), System Integrators (SIs), developers and consultants. It is intended to help small organisations sell to HP customers by working in partnership with HP account teams. 570 firms are currently part of the DSSP.

The Programme provides partners with resources to support them throughout all stages of solutioning, planning, development, marketing, selling and customer support. By working with HP, DSPP members benefit from access to information, resources and assistance designed to accelerate time to market, shorten sales cycles and improve customer loyalty.

The Programme is free for companies to join. HP DSPP representatives offer assistance with programme services, queries, helping partners obtain the required resources and streamlining the marketing process. Members of the programme are eligible for HP product discounting and have access to software downloads and development kits. HP DSPP also offers information and programmes geared to help partners find new ways to cultivate business and opportunities, as well as providing access to benefits in the areas of awareness creation, demand generation, sales support, tools and business information.

4.3.2. Recruitment campaigns

HP has, in relation to certain large public sector contracts, undertaken specific publicity campaigns directed at the SME community to attract their involvement in delivery. For example, in 2004 HP ran an awareness raising programme targeted at SMEs to encourage them to become partners in the delivery of the Defence Information Infrastructure programme. This included holding a conference, with workshops on the five key work areas where SME support was being sought. It was attended by 66 different companies and the feedback received was extremely positive. This campaign contributed to identifying some of the 100 or so SMEs that today help HP to deliver the Defence Information Infrastructure programme.

4.3.3. Supplier diversity

HP is keen to ensure that it is as open as possible in terms of working with SMEs, including a diverse range of suppliers. HP has a long history of encouraging SMEs to work with us – our first small business programme was established in the US in 1958. Since the late 1960s there has been a strong focus on ensuring that under represented businesses have equal opportunities to work with HP.

A formal Supplier Diversity Programme was established in the UK in 2004. HP works with Minority Supplier Development UK and WEConnect, an NGO that increases opportunities for women-owned enterprises to compete, to encourage businesses that might not readily approach HP to consider working with us.

4.3.4. Payment terms

In 2010 HP signed an agreement with the Cabinet Office to pass on 30 day payments to subcontractors. This is to ensure that the benefits of swift payment are passed through the supply chain to the supplier base that most require them.

4.4. Increasing the involvement of SMEs in the public sector supply chain

Many major public sector contracts in the UK already place requirements on prime contractors to involve SME suppliers in delivery where possible. In many other countries where HP operates this requirement is more closely defined and the involvement of SME suppliers is a key criterion in the selection of prime contractors. In some countries, including Australia and the US, quotas for the involvement of SMEs in delivery are a common requirement in major contracts. HP would be supportive of measures to require the greater involvement of SMEs in the delivery of public sector contracts in the UK.

5.
VME migration 

 

In discussion regarding the use of SMEs in Government contracts, Mr Jenkin discussed the DWP’s ongoing reliance on the VME operating system, and suggested that it might be worth considering getting "a dozen or two dozen SMEs to brainstorm how to convert the data into a modern operating system".

HP has an interest in reducing the dependence that its customers have on aged proprietary operating systems like VME. Over several years we have worked with a variety of SMEs to look in detail at potential strategies for moving DWP benefit systems off VME. However, the business case for such a change is far from clear for the Department as dependency on VME is declining as new systems come on stream

Whilst HP acknowledges that there are SMEs who may be able to suggest innovative solutions to similar problems, we believe that this specific suggestion fails to comprehend quite how the DWP’s reliance on VME arose and why moving away from the platform has seemingly presented such problems. In summary, it is not a technical problem per-se, or merely a question of converting the data to a modern system, but rather a question of balancing the scale of both technical and business change required to effect the change against the benefits that might arise from doing so.

5.1. History

The VME-based range of legacy benefit systems that are still in use today was produced as a result of the "Operational Strategy" Programme, started in the early 1980s by the Department for Health and Social Security. These systems were built to automate the manual processes of the previous benefit delivery departments within Government. Essentially, the approach adopted for the Operational Strategy Programme was to create a single system for each individual benefit. However, in order to deliver the best value for money, the various benefit systems shared IT components and infrastructure; additionally, there were many business and data interfaces due to the interactions between the various benefits – for example, entitlement to one benefit raising income levels and hence impacting entitlement to other benefits, and so on. This led to a highly integrated set of business and IT systems for benefit processing that were optimised to maximise the efficiency of case workers within the then, benefit-focussed, or "Product Centric", delivery organisations.

Over the last few years, the problems resulting from a "Product Centric" model have been the focus of a number of Government reports and this has led to the modern view that benefit systems should be focussed on the claimant i.e. be "Customer Centric" - this requires a set of delivery systems that look across all the benefits delivered to an individual. Consequently, this requires a set of business systems whose flow is at "right angles" to the structure of the current legacy systems. This issue and legacy systems’ lack of easy adaptability to the more efficient, new communication channels (i.e. telephony and intranet), have resulted in the need to modernise the existing VME-based systems.

5.2. The Modernisation Challenge

Since the 1990s many different companies and experts on legacy system transformation have looked at how DWP’s VME-based legacy systems might be modernised. As a result, a number of approaches to modernisation have already been attempted and/or considered, including replacement of the legacy infrastructure, the use of Commercial, ‘off the shelf’ (COTS) products and the creation of ‘Presentation Layers’ or Front Ends to "mask" the legacy systems.

The key problem with migrating to more modern technologies however is not the absence of an appropriate contemporary IT solution, but rather that because of the highly integrated nature of the legacy benefit systems, converting any single benefit to a new model requires that all the business and data interfaces need to be rebuilt and/or replaced at the same time. As a result the proposition of migrating to a new system is, for one benefit, very costly. This, coupled with the risks associated with this change and the ever-present need to successfully implement a policy on the agreed date, has always hampered efforts to implement effective modernisation of the legacy systems on a piecemeal basis.

Where only one benefit is being changed, a combination of the adaption and re-use of a similar VME-based application, along with a modernised front-end system (optimised for use with that particular legacy benefit) are the only examples that exist in DWP for successful ‘modernisation’. It is questionable as to whether this is "true" modernisation, as the underlying benefit system is still ‘Product Centric’ and operating on the VME platform.

5.3. Successful Modernisation and Universal Credit

The complete modernisation of any benefit requires that all related benefit systems (or at least the majority) are replaced and modernised at the same time. The only other approach is to rewrite all the links (interfaces) between the benefit system being modernised and the legacy systems with which it is interfaced. This would be expensive and not reusable as these same interfaces would need to be rewritten again when the next benefit system was modernised.

HP believes that the current policy of introducing Universal Credit offers a realistic modernisation opportunity as for the first time, it represents a programme of change that will replace all the major Working Age benefits simultaneously, and is therefore of sufficient scale that the risk and cost of updating the infrastructure is smaller (both relatively and absolutely) due to fewer interfaces being required (through amalgamating benefits).

Public and private sector project performance 

 

Mr Jenkin questioned HP regarding the relative performance of projects delivered for public and private sector clients. Craig Wilson stated that data collected by HP indicated there was no evidence of a worse overall performance in public sector contracts relative to the private sector, and offered a follow-up note.

5.4. How HP monitors project performance.

HP has a number of internal tools for collecting and monitoring the performance of projects that it conducts for its clients. These tools collect two key indicators – the CPI (Cost Performance Index) and SPI (Schedule Performance Index) – which are objective measures comparing actual project time and cost versus budgeted time and cost. An SPI score of 1.0 means that a project is on schedule. A score of less than 1 means the project is behind schedule, more than 1 means that the project is ahead of schedule. Similarly for the Cost Performance Index, a CPI score of 1.0 equates to a project being on budget, a score of less than 1 indicates that the project is spending more than planned, and a score of more than 1 indicates that the project is spending less than planned.

5.5. Comparison of Outcomes

For the purposes of this note, we have analysed project CPI and SPI data for a total of 736 project reports spanning the last two years intervals for our UK Clients. Of these projects, 42% are for Government clients, 58% for private sector clients.

5.5.1. Performance to Schedule (SPI)

Plotting the number of projects (as a % of the total) at each SPI value for each of the Government (solid/blue line) and non-Government (dotted/red line) groups gives the following results:

It can be seen that whilst the distribution for non-Government projects is more tightly packed around a score of 1.0 (on Schedule) than for Government projects, the difference is marginal at worst. Although there is a slight "shoulder" on the "behind schedule" side (0.9 to 1.0) for Government projects, there is a similar (albeit smaller) "shoulder" on the "ahead of schedule" side (1.0 to 1.1). Both distributions (Government and non-Government) flatten out very quickly, with only a very small distribution of projects in the very bad (<0.85) or very good (>1.15) areas in each case.

5.5.2. Performance to Budget (CPI)

Plotting the number of projects (as a % of the total) at each CPI value for each of the Government (solid/blue line) and non-Government (dotted/red line) groups gives the following results:

Similarly to the SPI data, whilst the non-Government projects (dotted/red line) show a tighter distribution around a CPI score of 1.0 (i.e. on budget) than the Government projects, the difference is once again, marginal. The variance in performance (e.g. the width of the distribution) overall is wider than SPI, but, in contrast to the SPI, the "shoulder" on the ahead-of-cost side of the curve is larger than the ‘behind’ (<1.0) side for Government projects.

In other words, the data suggests that, in comparison to non-Government projects, whilst Government projects are marginally more likely to be a little behind schedule, they are also marginally more likely to be under budget.

5.6. Conclusions from this data

Clearly, this data is solely for HP’s project performance during the last two years. We are however confident that it supports our assertion that there is not a significant difference between the performance of Government and non-Government projects during this term.

Based on real data, it can be seen that over the last 2 years, it is very likely that a Government project will come in between 30% under and 10% over on cost; and between 10% ahead and 10% behind on schedule. Similar figures for non-Government would be 20% under and 10% over on cost; and 2% ahead and 10% behind on schedule.

April 2011