Category Archives: Legacy ICT

Is Gauke being told the whole truth on Universal Credit’s rollout problems?

By Tony Collins

“It is working,” said Work and Pensions secretary David Gauke in Manchester yesterday. He was referring to a plan to accelerate the rollout of Universal Credit from this month.

“I can confirm that the rollout will continue, and to the planned timetable,” he added.

But are civil servants giving Gauke – and each other – full and unexpurgated briefings on the state of the Universal Credit programme?

Last year, in a high-level DWP document that government lawyers asked a judge not to release for publication, a DWP director referred to

“a lack of candour and honesty throughout the [Universal Credit] programme.”

Senior civil servants were not passing bad news on the state of the Universal Credit IT programme even to each other.

The DWP document was dated several years after Iain Duncan-Smith, the original force behind the introduction of Universal Credit, found his internal DWP briefings on the state of the UC programme so inadequate – a “good news” culture prevailed – that he brought in his own external advisers – what he called his “red team”.

In 2013 the National Audit Office, in a report on Universal Credit, said a “good news” mentality within the DWP prevented problems being discussed.

If problems could not be discussed they could not be addressed.

Last year the Institute for Government, in a report on Universal Credit, said IT employees at the DWP’s Warrington offices burst into tears with relief when at last permitted – by external advisers –  to talk openly about problems on the programme.

The Work and Pensions Committee has questioned why DWP ministers told MPs all was going well with the programme when it was well behind schedule and beset with problems.

The Public Accounts Committee called the DWP “evasive and selective” when it came to passing on information about the state of the Universal Credit programme.

Is there any reason to believe that the “fortress mentality” that the NAO referred to in its report on Universal Credit in 2013 is no longer present?

When David Gauke announced yesterday that he is continuing the rollout of Universal Credit, was he basing his decision on the full facts – or a “good news” version of it as told to him by the DWP?

Comment

David Gauke will have been given the “new minister” treatment when he joined the DWP on 11 June 2017.

“The first thing you’ve got to overcome when you walk through the door is that everybody is being almost far too nice to you,” said one of Gauke’s predecessors, Iain Duncan Smith. He was speaking in 2016 after leaving the DWP.

IDS was much criticised for assuring Parliament all was well with the Universal Credit IT programme when it wasn’t. But maybe he was right to point out that, when he joined the DWP, he found that the “biggest cultural barrier” was getting civil servants to be honest about difficulties.

“The Civil Service, legitimately, see it as their role to deliver on politicians’ policy demands and this can sometimes make them resistant to the idea that they should inform you early of problems,” said IDS.

It was IDS who told BBC’s Radio 4 Today programme in December 2013, that Universal Credit was on track.

“It’s on budget. It’s on budget. Some 6.5million people will be on the system by the end of 2017.”

In fact, fewer than 700,000 people are claiming Universal Credit,  according to the latest DWP statistics.

DWP’s 30 years of a “good news” culture

In the past 30 years, it has been almost unknown for the DWP’s mandarins to concede that they have had serious problems with any of their major IT-based projects and programmes.

Perhaps it’s understandable, then, that Gauke apparently refuses to listen to critics and continues with the accelerated rollout of Universal Credit.

Would he have any idea that the Citizens Advice Bureau, in a carefully-researched report this year, said that some claimants are on the DWP’s “live service” (managed by large IT suppliers) which is “rarely updated” while other claimants are on a separate “full service” – what the CAB calls a “test and learn” system – which is still being designed?

Would Gauke know of the specific concerns of the all-party Work and Pensions Committee which wrote to the DWP earlier this year about Universal Credit decision makers being “overly reliant on information from [HMRC’s] Real-time information” even when there is “compelling evidence” that this data is  incorrect?

Would Gauke have any reason to believe those who refer to regular computer breakdowns and inaccurate and inconsistent data?

In the DWP’s own document that it did not want published, the DWP director said that, internally, “people stopped sharing comments which could be interpreted as criticism of the Programme, even when those comments would be useful as part of something like an MPA [Major Projects Authority] review.”

Many staff believed the official line was ‘everything is fine’. Nobody wanted to be seen to contradict it.

All this suggests that the DWP will carry on much as before, regardless of external criticism.  Individual ministers are accountable but they move on. Their jobs are temporary. It’s the permanent civil service that really matters when it comes to the implementation of Universal Credit.

But mandarins are neither elected nor effectively accountable.

NHS IT programme?

There may be some comparisons between Universal Credit and the NHS IT programme, the £10bn NPfIT.

A plethora of independent organisations and individuals expressed concerns about the NPfIT but minister after minister dismissed criticisms and continued the rollout. The NPfIT was dismantled many years later, in 2011. Billions was wasted.

Based on their civil service briefings, NPfIT ministers had no reason to believe the programme’s critics.

Universal Credit has more support than the NPfIT and the IT is generally welcomed, not shunned. But the Universal Credit rollout is clearly not in a position yet to be speeded up.

Whether Gauke will recognise this before his time is up at the DWP is another matter.

Like IDS, Stephen Crabb and Damian Green – all secretaries of state during the rollout of Universal Credit – Gauke will move on and his successor will get the “new minister” treatment.

And the cycle of ministerial “good news” briefings will continue.

Perhaps the DWP’s senior civil servants believe they’re protecting their secretaries of state.

As the civil servant Bernard Woolley said in “Yes Minister”

“If people don’t know what you’re doing, they don’t know what you’re doing wrong.”

Thank you to David Orr, an ardent campaigner for open government, who alerted me to Universal Credit developments that form part of this article.

Advertisements

Aftermath of the cyber attack – will ministers learn the wrong lessons?

By Tony Collins

At least 16 NHS trusts out of 47 that were hit by the ransomware attack continue to face problems, according to BBC research.

And, as some patients continued to have their cancer treatments postponed, Tory, Labour and Lib-dem politicians told of their plans to spend more money on NHS IT.

But will any new money promised by government focus on basic weaknesses – such as the lack of interoperability and the structural complexities that made the health service vulnerable to cyber attack?

Last year when the health secretary Jeremy Hunt announced £4bn for NHS IT, his focus was on new technologies such as smartphone apps to order repeat prescriptions rather than any urgent need to upgrade MRI, CT and other medical devices that rely on Windows XP.

Similarly the government-commissioned Wachter review “Making IT Work: Harnessing the Power of HealthInformation Technology to Improve Care in England made no mention of Windows XP or any operating system – perhaps because ministers were much more likely to welcome a review of NHS IT that focused on innovation and new technologies.

Cancer treatments postponed

The Government’s position is that the NHS was not specifically targeted in the cyber attack and that the Tories are putting £2bn into cyber security over the next year.

Theresa May said yesterday,

“It was clear warnings were given to hospital trusts but this is not something that was focused on attacking the NHS. 150 countries are affected. Europol says there are 200,000 victims across the world. Cyber security is an issue we need to address.

“That’s why the government, when we came into government in 2010, put money into cyber security. It’s why we are putting £2bn into cyber security over the coming year.”

Similarly Jeremy Hunt, health secretary, told the BBC that the attack affected international sites that have “some of the most modern IT systems”.

But the BBC’s World at One gave an example of how the NHS’s IT problems were affecting the lives of patients.

It cited the case of Claire Hobday whose radiography appointment for breast cancer at Lincoln County Hospital was cancelled on Friday (12 May 2017) and she still doesn’t know when she’ll receive treatment. Hobday said,

“I turned up by hospital transport for my second radiotherapy session, and I, along with many other patients – at least 20 other people were waiting – and they said the computers weren’t working.

“I do have to say the staff were very good and very quickly let us all know that they were having trouble with the computers. They didn’t want to misinform us, so they were going to come and talk to us all individually and hoped they would be able to rectify it.

“Within half an hour or so they came out and said, ‘We’re really sorry but it’s not going to get sorted. We’ll send you all home and give you a call on Sunday’ which didn’t happen.

“But they did ring me this morning (15 May 2017) to say it’s not happening today and if transport turns up please don’t get in it, and it’s very unlikely it will happen tomorrow.

“It is just a bit upsetting that other authorities have managed to sort it but Lincolnshire don’t seem to have been able to do that.”

United Lincolnshire Hospitals Trust told World at One it will be back in touch with patients once the IT system is restored.

Roy Grimshaw was in the middle of an MRI scan – after dye was injected into his blood stream –  when the scan was stopped and he was asked to go back into the waiting room in his gown, with tubes attached to him, while staff investigated a computer problem. After half an hour he was told the NHS couldn’t continue the scan.

Budgets “not an issue”?

GP practices continue to be affected. Keiran Sharrock, GP and medical director of Lincolnshire local medical committee, said yesterday (15 Mat 2017) that systems were switched off in “many” practices.

“We still have no access to medical records of our patients. We are asking patients to only contact the surgery if they have an urgent or emergency problem that needs dealing with today. We have had to cancel routine follow-up appointments for chronic illnesses or long-term conditions.”

Martha Kearney – BBC World at One presenter –  asked Sharrock about NHS Digital’s claim that trusts were sent details of a security patch that would have protected against the latest ransomware attack.

“I don’t think in general practice we received that information or warning. It would have been useful to have had it,” replied Sharrock.

Kearney – What about claims that budget is an aspect of this?

Sharrock: “Within general practice that doesn’t seem to be the reason this happened. Most general practices have people who can work on their IT and if we’d been given the patch and told it needed to be installed, most practices would have done that straight away.”

GCHQ

World at One also spoke to Ciaran Martin, Director General for Government and Industry Cyber Security.  He is a member of the GCHQ board and its senior information risk owner.  He used to be Constitution Director at the Cabinet Office and was lead negotiator for the Prime Minister in the run-up to the Edinburgh Agreement in 2012 on a referendum on independence for Scotland.

Kearney: Did your organisation issue any warnings to the health service?

Martin: “We issue warnings and advice on how to upgrade defences constantly. It’s generally public on our website and it’s made very widely available for all organisations. We are a national organisation protecting all critical sectors and indeed individuals and smaller organisations as well.”

Huge sums spent on paying ransoms?

Kearney asked Martin, “How much money are you able to estimate is being spent on ransoms as a result of these cyber attacks?” She added,

“I did hear one astonishing claim that in the first quarter of 2016 more money was spent in the USA on responding to ransomware than [was involved] in armed robberies for the whole of that year?”

Martin: “First let me make clear that we don’t condone the payment of ransoms and we strongly advise bodies not to pay and indeed in this case the Department of Health and the NHS have been very clear that affected bodies are not to pay ransoms. Across the globe there is, sadly, a market in ransomware. It is often the private sector in shapes and sizes that is targeted.”

Martha Kearney said the UK may be a target because it has a reputation for being willing to pay ransoms.

Martin, “We are no more or less a target for ransomware than anywhere else. It’s a global business; and it is a business. It is all about return on investment for the attacker.

“What’s important about that is that it’s all about upgrading defences because you can make the return on investment lower by making it harder to get in.”

If an attacker gets in the aim must be to make it harder to get anything useful, in which case the “margin on investment goes down”. He added,

“That’s absolutely vital to addressing this problem.”

Are governments at fault?

Martin,

“Vulnerabilities will always exist in software. Regardless of who finds the underlying software defect, it’s incumbent on the entire cyber security ecosystem – individual users, enterprises, governments or whoever – to work together to mitigate the harm.”

He added that there are “all sorts of vulnerabilities out there” including with open source software.

Windows XP

Computer Weekly reports – convincingly – that the government did not cancel an IT support contract for XP.

Officials decided to end a volume pricing deal with Microsoft which left NHS organisations to continue with XP support if they chose to do so. This was clearly communicated to affected departments.

Government technology specialists, reports Computer Weekly, did not want a volume pricing deal with Microsoft to be  “comfort blanket” for organisations that – for their own local reasons – were avoiding an upgrade from XP.

Computer Weekly also reported that civil servants at the Government Digital Service expressed concerns about the lack of technical standards in the NHS to the then health minister George Freeman.

Freeman was a Department of Health minister until July 2016. In their meeting with Freeman, GDS officials  emphasised the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.

A source told Computer Weekly that Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in a heavily-federated NHS but it was not considered a priority at that top political level.

“Hunt never grasped the problem,” said the source.

There are doubts, though, that Hunt could have forced trusts to implement national IT security standards even if he’d wanted to. NHS trusts are largely autonomous and GDS has no authority to mandate technical standards. It can only advise.

How our trust avoided being hit

A comment by an NHS IT lead on Digital Health’s website gives an insight into how his trust avoided being hit by the latest cyber attack.  He said his trust had a “focus on perimeter security” and then worked back to the desktop.

“This is then followed up by lots of IG security pop ups and finally upgrading (painfully) windows XP to windows 7…” He added,

“NHS Digital have to take a lead on this and enforce standards for us locally to be able to use.”

He also suggests that NHS Digital sign a Microsoft Enrollment for Windows Azure [EWA] agreement as it is costly arranging such a deal locally.

 “NHS Digital must for me, step in and provide another MS EWA as I am sure the disruption and political fall-out will cost more. Introduce an NHS MS EWA, introduce standards for software suppliers to comply with latest OS and then use CQC to rate organisations that do not upgrade.”

Another comment on the Digital Health website says that even those organisations that could afford the deployment costs of moving from XP to Windows 7 were left with the “professional” version, which “Microsoft has mercilessly withdrawn core management features from (e.g. group policy features)”.

The comment said,

“There are a lot of mercenary enterprises taking advantage of the NHS’s inability to mandate and coordinate the required policies on suppliers which would at least give the under-funded and under-appreciated IT functions the ability to provide the service they so desperately want to.”

A third comment said that security and configuration management in the NHS is “pretty poor”. He added, “I don’t know why some hospitals continue to invest in home-brew email systems when there is a national solution ready and paid for.

“In this recent attack most the organisations hit seem to use local email systems.”

He also criticised NHS organisations that:

  • Do not properly segment their networks
  • Allow workstations to openly and freely connect to each other in a trusted zone.
  • Do not have a proper patch / update management regime
  • Do not firewall legacy systems
  • Don’t have basic ACLs [access control lists)

Three lessons?

  • Give GDS the ability to mandate no matter how many Sir Humphreys would be upset at every challenge to their authority. Government would work better if consensus and complacency at the top of the civil service were regarded as vices, while constructive, effective and forceful criticism was regarded as a virtue.
  • Give the NHS money to spend on the basic essentials rather than nice-to-haves such as a paperless NHS, trust-wide wi-fi, smartphone apps, telehealth and new websites. The essentials include interoperability – so that, at the least, all trusts can send test results and other medical information electronically to GPs –  and the upgrading of medical devices that rely on old operating systems.
  •  Plan for making the NHS less dependent on monolithic Microsoft support charges.

On the first day of the attacks, Microsoft released an updated patch for older Windows systems “given the potential impact to customers and their businesses”.

Patches are available for: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, and Windows 8 x64.

Reuters reported last night that the share prices of cyber security companies “surged as investors bet on governments and corporations spending to upgrade their defences”.

Network company Cisco Systems also closed up (2.3%), perhaps because of a belief that it would benefit from more network spending driven by security needs.

Security company Avast said the countries worst affected by WannaCry – also known as Wannacypt – were Russia, Taiwan, Ukraine and India.

Comment

In a small room on the periphery of an IT conference on board a cruise ship , nearly all of the senior security people talked openly about how their board directors had paid ransoms to release their systems after denial of service attacks.

Some of the companies – most of them household names – had paid ransoms more than once.

Until then, I’d thought that some software suppliers tended to exaggerate IT security threats to help market their solutions and services.

But I was surprised at the high percentage of large companies in that small room that had paid ransoms. I no longer doubted that the threats – and the damage – were real and pervasive.

The discussions were not “off-the-record” but I didn’t report their comments at the time because that would doubtless have had job, and possibly even career ramifications, if I had quoted the security specialists by name.

Clearly ransomware is, as the GCHQ expert Kieran Martin put it, a global business but, as ransoms are paid secretly – there’s not a whisper in corporate annual accounts – the threat has not been taken seriously enough in some parts of the NHS.

The government’s main defence is that the NHS was not targeted specifically and that many private organisations were also affected.

But the NHS has responsibility for lives.

There may be a silver lining if a new government focuses NHS IT priorities on the basics – particularly the structural defects that make the health service an easy target for attackers.

What the NHS doesn’t need is a new set of politicians and senior civil servants who can’t help massaging their egos and trying to immortalise their legacy by announcing a patchwork of technological marvels that are fun to work on, and spend money on, but which gloss over the fact that much of the NHS is, with some notable exceptions, technologically backward.

Microsoft stockpiled patches – The Register

UK government, NHS and Windows XP support – what really happened – Computer Weekly

NHS letter on patches to counter cyber attack

Multiple sites hit by ransomware attack – Digital Health (31 comments)

Lessons from the WannaCrypt – Wannacry – cyber attack according to Microsoft

 

Southwest One – a positive postscript

By Tony Collins

somerset county council2IBM-led Southwest One has had a mostly bad press since it was set up in 2007. But the story has a positive postscript.

Officials at Somerset County Council now understand what has long been obvious to ICT professionals: that the bulk of an organisation’s savings come from changing the way people work – and less from the ICT itself.

Now that Somerset County Council has the job of running its own IT again – its IT-based relationship with Southwest One ended prematurely in December 2016 – the council’s officials have realised that technology is not an end in itself but an “enabler” of headcount reductions and improvements in productivity.

A 2017 paper by the county council’s “Programme Management Office”  says the council has begun a “technology and people programme” to “contribute to savings via headcount reduction by improving organisational productivity and process efficiency using technology as the key enabler”.

Outsourcing IT a “bad mistake” 

It was in 2007 that Somerset County Council and IBM launched a joint venture, Southwest One. The new company took over the IT staff and some services from the council.

In the nine years since then the council has concluded that outsourcing ICT – thereby separating it from the council’s general operations – was not a good idea.

The same message – that IT is too integral and important to an organisation  to be outsourced – has also reached Whitehall’s biggest department, the Department for Work and Pensions.

Yesterday (8 February 2017) Lord Freud,  who was the Conservative minister in charge of Universal Credit at the Department for Work and Pensions, told MPs that outsourcing IT across government had proved to be a “bad idea”.  He said,

“What I didn’t know, and I don’t think anyone knew, was how bad a mistake it had been for all of government to have sent out their IT…

“You went to these big firms to build your IT. I think that was a most fundamental mistake, right across government  and probably across government in the western world …

” We talk about IT as something separate but it isn’t. It is part of your operating system. It’s a tool within a much better system. If you get rid of it, and lose control of it, you don’t know how to build these systems.

” So we had an IT department but it was actually an IT commissioning department. It didn’t know how to do the IT.

“What we actually discovered through the (Universal Credit) process was that you had to bring the IT back on board. The department has been rebuilding itself in order to do that. That is a massive job.”

Task facing Somerset officials

Somerset County Council says in its paper that the council now suffers from what it describes as:

  • Duplicated effort
  • Inefficient business processes
  • A reliance on traditional ways of working (paper-based and meeting-focused).
  • Technology that is not sufficient to meet business needs
  • Inadequate data extraction that does not support evidence based decision making.
  • “Significant under-investment in IT”.

To help tackle these problems the council says it needs a shift in culture. This would enable the workforce to change the way it works.  

From January 2017 to 2021, the council plans “organisation and people-led transformational change focused on opportunities arising from targeted systems review outcomes”.

The council’s officers hope this will lead to

  • Less unproductive time in travelling and  attending some statutory duties such as court proceedings.
  • Fewer meetings.
  • Reduced management time because of fewer people to manage e.g. supervision, appraisal, performance and sickness.
  • Reduced infrastructure spend because fewer people will mean cuts in building and office costs, and IT equipment. Also less training would be required.
  • Reduction in business support process and roles.
  • Reduction in hard copy file storage and retention.

 The council has discovered that it could, for instance, with changes in working practices supported by the right technology,  conduct the same number of social services assessments with fewer front- line social workers or increase the level of assessments with the same number of staff.

Southwest One continues to provide outsourced services to Avon and Somerset Police. The contract expires next year.

Comment

Somerset County Council is taking a bold, almost private sector approach to IT.

Its paper on “technology and people” says in essence that the council cannot  save much money by IT change alone.

Genuine savings are to be found in changing ways of working and thus reducing headcount. This will require very close working – and agreement – between IT and the business end-users within the council.

It is an innovative approach for a council.

The downside is that there are major financial risks, such as a big upfront spend with Microsoft that may or may not more than pay for itself.

Does outsourcing IT ever make sense?

Somerset County Council is not an international organisation like BP where outsourcing and standardising IT across many countries can make sense.

The wider implication of Somerset’s experience – and the experience of the Department for Work and Pensions – is that outsourcing IT in the public sector is rarely a good idea.

Thank you to Dave Orr, who worked for Somerset County Council as an IT analyst and who has, since the Southwest One contract was signed in 2007, campaigned for more openness over the implications of the deal.

He has been more effective than any Somerset councillor in holding to account the county council, Taunton Deane Borough Council and Avon and Somerset Police, over the Southwest One deal.  He alerted Campaign4Change to Somerset’s “Technology and People Programme” Somerset paper.

One of Orr’s recent discoveries is that the council’s IT assets at the start of the Southwest One contract were worth about £8m and at hand-back in December 2016 were worth just £0.32m, despite various technology refreshes.

Somerset County Council’s “Technology and People Programme” paper

Whitehall’s outsourcing IT a “bad mistake” – and other Universal Credit lessons, by a former DWP minister

Excellent reports on lessons from Universal Credit IT project published today – but who’s listening?

By Tony Collins

“People burst into tears, so relieved were they that they could tell someone what was happening.”

The Institute for Government has today published one of the most incisive – and revelatory – reports ever produced on a big government IT project.

It concludes that the Universal Credit IT programme may now be in recovery after a disastrous start, but recovery does not mean recovered. Much could yet floor the programme, which is due to be complete in 2022.

The Institute’s main report is written by Nick Timmins, a former Financial Times journalist, who has written many articles on failed publicly-funded IT-based projects.

His invaluable report, “Universal Credit – from disaster to recovery?” – includes interviews with David Pitchford, a key figure in the Universal Credit programme, and Howard Shiplee who led the Universal Credit project.

Timmins also spoke to insiders, including DWP directors, who are not named, and the former secretary of state at the Department for Work and Pensions Iain Duncan Smith and the DWP’s welfare reform minster Lord Freud.

Separately the Institute has published a shorter report “Learning the lessons from Universal Credit which picks out from Timmins’ findings five “critical” lessons for future government projects. This report, too, is clear and jargon-free.

Much of the information on the Universal Credit IT programme in the Timmins report is new. It gives insights, for instance, into the positions of Universal Credit’s major suppliers HP, IBM, Accenture.

It also unearths what can be seen, in retrospect, to be a series of self-destructive decisions and manoeuvres by the Department for Work and Pensions.

But the main lessons in the report – such as an institutional and political inability to face up to or hear bad news – are not new, which raises the question of whether any of the lessons will be heeded by future government leaders – ministers and civil servants – given that Whitehall departments have been making the same mistakes, or similar ones, for decades?

DWP culture of suppressing any bad news continues

Indeed, even as the reports lament a lack of honesty over discussing or even mentioning problems – a “culture of denial” – Lord Freud, the minister in charge of welfare reform, is endorsing FOI refusals to publish the latest risk registers, project assessment reviews and other Universal Credit reports kept by the Department for Work and Pensions.

More than once Timmins expresses his surprise at the lack of information about the programme that is in the public domain. In the “acknowledgements” section at the back of his report Timmins says,

“Drafts of this study were read at various stages by many of the interviewees, and there remained disputes not just about interpretation but also, from some of them, about facts.

“Some of that might be resolvable by access to the huge welter of documents around Universal Credit that are not in the public domain. But that, by definition, is not possible at this stage.”

Churn of project leaders continues

Timmins and the Institute warn about the “churn” of project leaders, and the need for stable top jobs.

But even as the Institute’s reports were being finalised HMRC was losing its much respected chief digital officer Mark Dearnley, who has been in charge of what is arguably the department’s riskiest-ever IT-related programme, to transfer of legacy systems to multiple suppliers as part of the dismantling of the £8bn “Aspire” outourcing venture with Capgemini.

Single biggest cause of Universal Credit’s bad start?

Insiders told Timmins that the fraught start of Universal Credit might have been avoided if Terry Moran had been left as a “star” senior responsible owner of the programme. But Moran was given two jobs and ended up having a breakdown.

In January 2011, as the design and build on Universal Credit started, Terry Moran was given the job of senior responsible owner of the project but a few months later the DWP’s permanent secretary Robert Devereux took the “odd” decision to make Moran chief operating officer for the entire department as well. One director within the DWP told Timmins:

“Terry was a star. A real ‘can do’ civil servant. But he couldn’t say no to the twin posts. And the job was overwhelming.”

The director claimed that Iain Duncan Smith told Moran – a point denied by IDS – that if Universal Credit were to fail that would be a personal humiliation and one he was not prepared to contemplate. “That was very different from the usual ministerial joke that ‘failure is not an option’. The underlying message was that ‘I don’t want bad news’, almost in words of one syllable. And this was in a department whose default mode is not to bring bad news to the top. ‘We will handle ministers’ is the way the department operates…”

According to an insider, “Terry Moran being given the two jobs was against Iain’s instructions. Iain repeatedly asked Robert [Devereux] not to do this and Robert repeatedly gave him assurances that this would be okay” – an account IDS confirms. In September 2012, Moran was to have a breakdown that led to early retirement in March 2013. He recorded later for the mental health charity Time to Talk that “eventually, I took on more and more until the weight of my responsibilities and my ability to discharge them just grew too much for me”.

Timmins was told, “You cannot have someone running the biggest operational part of government [paying out £160bn of benefits a year] and devising Universal Credit. That was simply unsustainable,”

Timmins says in his report, “There remains a view among some former and current DWP civil servants that had that not happened (Moran being given two jobs), the programme would not have hit the trouble it did. ‘Had he been left solely with responsibility for UC [Universal Credit], I and others believe he could have delivered it, notwithstanding the huge challenges of the task,’ one says.”

Reviews of Universal IT “failed”

Timmins makes the point that reviews of Universal Credit by the Major Projects Authority failed to convey in clear enough language that the Universal Credit programme was in deep trouble.

“The [Major Projects Authority] report highlighted a lack of sufficient substantive action on the points raised in the March study. It raised ‘high’ levels of concern about much of the programme – ‘high’ being a lower level of concern than ‘critical’. But according to those who have seen the report, it did not yet say in words of one syllable that the programme was in deep trouble.”

Iain Duncan Smith told Timmins that the the Major Projects review process “failed me” by not warning early enough of fundamental problems. It was the ‘red team’ report that did that, he says, and its contents made grim reading when it landed at the end of July in 2012.

Train crash on the way

The MPA [Cabinet Office’s Major Projects Authority] reviewed the programme in March 2011. “MPA reports are not in the public domain. But it is clear that the first of these flagged up a string of issues that needed to be tackled …

” In June a member of the team developing the new government’s pan-government website – gov.uk – was invited up to Warrington [base for the Universal Credit IT team] to give a presentation on how it was using an agile approach to do that.

“At the end of the presentation, according to one insider, a small number from the audience stayed behind, eyeing each other warily, but all wanting to talk. Most of them were freelancers working for the suppliers. ‘Their message,’ the insider says, ‘was that this was a train crash on the way’ – a message that was duly reported back to the Cabinet Office, but not, apparently, to the DWP and IDS.”

Scared to tell the truth

On another occasion when the Major Projects Authority visited the IT team at Warrington for the purposes of its review, the review team members decided that “to get to the truth they had to make people not scared to tell the truth”. So the MPA “did a lot of one-on-one interviews, assuring people that what they said would not be attributable. And under nearly every stone was chaos.

“People burst into tears, so relieved were they that they could tell someone what was happening.

” There was one young lad from one of the suppliers who said: ‘Just don’t put this thing [Universal Credit] online. I am a public servant at heart. It is a complete security disaster.’

IBM, Accenture and HP

“Among those starting to be worried were the major suppliers – Accenture, HP and IBM. They started writing formal letters to the department.

‘Our message,’ according to one supplier, ‘was: ‘Look, this isn’t working. We’ll go on taking your money. But it isn’t going to work’.’ Stephen Brien [then expert adviser to IDS] says of those letters: ‘I don’t think Iain saw them at that time, and I certainly didn’t see them at the time.”

At one point “serious consideration was given to suing the suppliers but they had written their warning letters and it rapidly became clear that that was not an option”.

Howard Shiplee, former head of the project, told Timmins that he had asked himself ‘how it could be that a very large group of clever people drawn from the DWP IT department with deep experience of the development and operation of their own massive IT systems and leading industry IT suppliers had combined to get the entire process so very wrong? Equally, ‘how could another group of clever people [the GDS team] pass such damning judgement on this earlier work and at the stroke of a pen seek to write off millions of pounds of taxpayers’ money?’

Shiplee commissioned a review from PwC on the work carried out to date and discovered that the major suppliers “were genuinely concerned to have their work done properly, support DWP and recover their reputations”.

In addition, when funding had been blocked at the end of 2012, the suppliers “had not simply downed tools but had carried on development work for almost three months” as they ran down the large teams that had been working on it.

“As a result, they had completed the development for single claimants that was being used in the pathfinder and made considerable progress on claims for couples and families. And their work, the PwC evaluation said, was of good quality.”

On time?

When alarm bells finally started ringing around Whitehall that Universal Credit was in trouble,  IDS found himself under siege. Stephen Brien says IDS was having to battle with the Treasury to keep the funding going for the project. He had to demonstrate that the programme was on time and on budget.

‘The department wanted to support him in that, and didn’t tell him all the things that were going wrong. I found out about some of them, but I didn’t push as hard as I should have. And looking back, the MPA [Major Projects Authority] meetings and the MPA reports were all handled with a siege mentality. We all felt we had to stand shoulder to shoulder defending where we were and not really using them to ask: ‘Are we where we should be?’

‘As a result we were not helping ourselves, and we certainly were not helping others, including the MPA. But we did get to the stage between the end of 2011 and the spring of 2012 where we said: ‘Okay, let’s get a red team in with the time and space to do our own challenge.’”

The DWP’s “caste” system

A new IT team was created in Victoria Street, London – away from Warrington but outside the DWP’s Caxton Street headquarters. It started to take a genuinely agile approach to the new system. One of those involved told Timmins:

“It had all been hampered by this caste system in the department where there is a policy elite, then the operational people, and then the technical people below that.

“And you would say to the operational people: ‘Why have you not been screaming that this will never work?’ And they’d say: ‘Well, we’re being handed this piece of sh** and we are just going to have to make it work with workarounds, to deal with the fact that we don’t want people to starve. So we will have to work out our own processes, which the policy people will never see, and we will find a way to make it work.’

Twin-track approach

IBM, HP and Accenture built what’s now known as the “live” system which enabled Universal Credit to get underway, and claims to be made in jobcentres.

It uses, in part, the traditional “waterfall” approach and has cost hundreds of millions of pounds. In contrast there’s a separate in-house “digital” system that has cost less than £10m and is an “agile” project.

A key issue, Shiplee told Timmins, was that the new digital team “would not even discuss the preceding work done by the DWP and its IT suppliers”. The digital team had, he says, “a messiah-like approach that they were going to rebuild everything from scratch”.

Rather than write everything off, Shiplee wanted ideally to marry the “front-end” apps that the GDS/DWP team in Victoria Street was developing with the work already done. But “entrenched attitudes” made that impossible. The only sensible solution, he decided, was a “twin-track” approach.

“The Cabinet Office remained adamant that the DWP should simply switch to the new digital version – which it had now become clear, by late summer, would take far longer to build than they anticipated – telling the DWP that the problem was that using the original software would mean ‘creating a temporary service, and temporary will become permanent’.

“All of which led to the next big decision, which, to date, has been one of the defining ones. In November 2013, a mighty and fraught meeting of ministers and officials was convened. Pretty much everyone was there. The DWP ministers, Francis Maude (Cabinet Office minister), Oliver Letwin who was Cameron’s policy overlord, Sir Jeremy Heywood, the Cabinet Secretary, Sir Bob Kerslake, the head of the home civil service, plus a clutch of DWP officials including Robert Devereux and Howard Shiplee as the senior responsible owner along with Danny Alexander and Treasury representatives.

“The decision was whether to give up on the original build, or run a twin-track approach: in other words, to extend the use of the original build that was by now being used in just over a dozen offices – what became dubbed the ‘live’ service – before the new, and hopefully much more effective, digital approach was finished and on stream.

“It was a tough and far from pleasant meeting that is etched in the memories of those who were there…

“One of those present who favoured the twin-track approach says: There were voices for writing the whole of the original off. But that would have been too much for Robert Devereux [the DWP’s Permanent Secretary] and IDS.

” So the twin-track approach was settled on – writing a lot of the original IT down rather than simply writing it off. That, in fact, has had some advantages even if technically it was probably the wrong decision…

“It has, however, seen parts of the culture change that Universal Credit involves being rolled out into DWP offices as more have adopted Universal Credit, even if the IT still requires big workarounds.

“More and more offices, for example, have been using the new claimant commitment, which is itself an important part of Universal Credit. So it has been possible to train thousands of staff in that, and get more and more claimants used to it, while also providing feedback for the new build.”

Francis Maude was among those who objected to the twin-track approach, according to leaked minutes of the project oversight board at around this time.

Lord Freud told Timmins,

‘Francis was adamant that we should not go with the live system [that is, the original build]. He wanted to kill it. But we, the DWP, did not believe that the digital system would be ready on anything like the timescales they were talking about then …But I knew that if you killed the live system, you killed Universal Credit…”

In the end the twin-track approach was agreed by a majority. But the development of the ‘agile’ digital service was immediately hampered by a spat over how quickly staff from the GDS were to be withdrawn from the project.

Fury over National Audit Office report

In 2013 the National Audit Office published a report Universal Credit – early progress –  that, for the first time, brought details of the problems on the Universal Credit programme into the public domain. Timmins’ report says that IDS and Lord Freud were furious.

“IDS and, to an only slightly lesser extent, Lord Freud were furious about the NAO report; and thus highly defensive.”

IDS tried to present the findings of the National Audit Office as purely historical.

In November 2014, the NAO reported again on Universal Credit. It once more disclosed something that ministers had not announced – that the timetable had again been put back two years (which raises further questions about why Lord Freud continues to refuse FOI requests that would put into the public domain – and inform MPs – about project problems, risks and delays without waiting for an NAO report to be published)..

Danny Alexander “cut through” bureaucracy

During one period, the Treasury approval of cash became particularly acute. Lord Freud told Timmins:

“We faced double approvals. We had approval about any contract variation from the Cabinet Office and then approvals for the money separately from the Treasury.

“The Government Digital Service got impatient because they wanted to make sure that the department had the ability to build internally rather than going out to Accenture and IBM, who (sic) they hate.

“The approvals were ricocheting between the Cabinet Office and the Treasury and when we were trying to do rapid iteration. That was producing huge delays, which were undermining everything. So in the end Danny Alexander [Lib-dem MP who was chief secretary to the Treasury] said: ‘I will clear this on my own authority.’ And that was crucial. Danny cut through all of that.”

Optimism bias

So-called optimism bias – over-optimism – is “such a common cause of failure in both public and private projects that it seems quite remarkable that it needs restating. But it does – endlessly”.

Timmins says the original Universal Credit white paper – written long before the start of the programme – stated that it would involve “an IT development of moderate scale, which the Department for Work and Pensions and its suppliers are confident of handling within budget and timescale”.

David Pitchford told Timmins,

“One of the greatest adages I have been taught and have learnt over the years in terms of major projects is that hope is not a management tool. Hoping it is all going to come out all right doesn’t cut it with something of this magnitude.

“The importance of having a genuine diagnostic machine that creates recommendations that are mandatory just can’t be overstated. It just changes the whole outcome completely. As opposed to obfuscation and optimism bias being the basis of the reporting framework. It goes to a genuine understanding and knowledge of what is going on and what is going wrong.”

Sir Bob Kerslake, who also identified the ‘good news culture’ of the DWP as being a problem, told Timmins,

“All organisations should have that ability to be very tough about what is and isn’t working. The people at the top have rose-tinted specs. They always do. It goes with the territory.

And unless you are prepared to embrace people saying that ‘really, this is in a bad place’… I can think of points where I have done big projects where it was incredibly important that we delivered the unwelcome news of where we were on that project. But it saved me, and saved my career.”

Recovery?

Timmins makes good arguments for his claim that the Universal Credit programme may be in recovery – but not recovered – and that improvements have been made in governance to allow for decisions to be properly questioned.

But there is no evidence the DWP’s “good news” culture has changed. For instance the DWP says that more than 300,000 people are claiming Universal Credit but the figure has not been audited and it’s unclear whether claimants who have come off the benefit and returned to it – perhaps several times – are being double counted.

Timmins points out the many uncertainties that cloud the future of the Universal Credit programme  – how well the IT will work, whether policy changes will hit the programme, whether enough staff will remain in jobcentres, and whether the DWP will have good relations with local authorities that are key to the delivery of Universal Credit but are under their own stresses and strains with resourcing.

There are also concerns about what changes the Scots and Northern Irish may want under their devolved powers, and the risk that any ‘economic shock’ post the referendum pushes up the volume of claimants with which the DWP has to deal.

 Could Universal Credit fail for non-IT reasons?

Timmins says,

“In seeking to drive people to higher earnings and more independence from the benefits system, there will be more intrusion into and control over the lives of people who are in work than under the current benefits system. And there are those who believe that such an approach – sanctioning people who are already working – will prove to be political dynamite.”

The dire consequences of IT-related failure

It is also worth noting that Universal Credit raises the stakes for the DWP in terms of its payment performance, says Timmins.

“If a tax credit or a Jobseeker’s Allowance payment or any of the others in the group of six go awry, claimants are rarely left penniless in the sense that other payments – for example, Housing Benefit in the case of Jobseeker’s Allowance or tax credits, – continue.

“If a Universal Credit payment fails, then all the support from the state, other than Child Benefit or disability benefits not included within Universal Credit, disappears.”

This happened recently in Scotland when an IT failure left hundreds of families penniless. The DWP’s public response was to describe the failure in Scotland as “small-scale”.

Comment

What a report.

It is easy to see how much work has gone into it. Timmins has coupled his own knowledge of IT-related failure with a thorough investigation into what has gone wrong and what lessons can be learned.

That said it may make no difference. The Institute in its “lessons” report uses phrases such as “government needs to make sure…”. But governments change and new administrations have an abundance – usually a superfluity – of confidence and ambition. They regard learning lessons from the past as putting on brakes or “nay saying”. You have to get with the programme, or quit.

Lessons are always the same

There will always be top-level changes within the DWP. Austerity will always be a factor.  The culture of denial of bad news, over-optimism about what can be achieved by when and how easily it can be achieved, over-expectations of internal capability, over-expectation of what suppliers can deliver, embarking on a huge project without clearly or fully understanding what it will involve, not listening diligently to potential users and ridiculously short timescales are all well-known lessons.

So why do new governments keep repeating them?

When Universal Credit’s successor is started in say 2032, the same mistakes will probably be repeated and the Institute for Government, or its successor, will write another similar report on the lessons to be learned.

When Campaign4Change commented in 2013 that Universal Credit would probably not be delivered before 2020 at the earliest, it was an isolated voice. At the time, the DWP press office – and its ministers – were saying the project was on budget and “on time”.

NPfIT

The National Audit Office has highlighted similar lessons to those in the Timmins report, for example in NAO reports on the NPfIT – the NHS IT programme that was the world’s largest non-military IT scheme until it was dismantled in 2011. It was one of the world’s biggest IT disasters – and none of its lessons was learned on the Universal Credit programme.

The NPfIT had an anti-bad news culture. It did not talk enough to end users. It had ludicrous deadlines and ambitions. The politicians in charge kept changing, as did some of programme leaders. There was little if any effective internal or external challenge. By the time it was dismantled the NPfIT had lost billions.

What the Institute for Government could ask now is, with the emasculation of the Government Digital Service and the absence of a powerful Francis Maude figure, what will stop government departments including the DWP making exactly the mistakes the IfG identifies on big future IT-enabled programmes?

In future somebody needs the power to say that unless there is adequate internal and external challenge this programme must STOP – even if this means contradicting a secretary of state or a permanent secretary who have too much personal and emotional equity in the project to allow it to stop. That “somebody” used to be Francis Maude. Now he has no effective replacement.

Victims

It’s also worth noting in the Timmins report that everyone seems to be a victim, including the ministers. But who are perpetrators? Timmins tries to identify them. IDS does not come out the report smelling of roses. His passion for success proved a good and bad thing.

Whether the direction was forwards or backwards IDS  was the fuel that kept Universal Credit going.  On the other hand his passion made it impossible for civil servants to give him bad news – though Timmins raises questions about whether officials would have imparted bad news to any secretary of state, given the DWP’s culture.

Neither does the DWP’s permanent secretary Robert Devereux emerge particularly well from the report.

How it is possible for things to go so badly wrong with there being nobody to blame? The irony is that the only people to have suffered are the genuine innocents – the middle and senior managers who have most contributed to Universal Credit apparent recovery – people like Terry Moran.

Perhaps the Timmins report should be required reading among all involved in future major projects. Competence cannot be made mandatory. An understanding of the common mistakes can.

Thank you to FOI campaigner Dave Orr for alerting me to the Institute’s Universal Credit reports.

Thanks also to IT projects professional John Slater – @AmateurFOI – who has kept me informed of his FOI requests for Universal Credit IT reports that the DWP habitually refuse. 

Update 18.00 6 September 2016

In a tweet today John Slater ( @AmateurFOI ) makes the important point that he asked the DWP and MPA whether either had held a “lessons learned” exercise in the light of the “reset” of the Universal Credit IT programme. The answer was no.

This perhaps reinforces the impression that the DWP is irredeemably complacent, which is not a good position from which to lead major IT projects in future.

Universal Credit – from disaster to recovery?

Learning the lessons from Universal Credit

 

Inside Universal Credit IT – analysis of document the DWP didn’t want published

dwpBy Tony Collins

Written evidence the Department for Work and Pensions submitted to an FOI tribunal – but did not want published (ever) – reveals that there was an internal “lack of candour and honesty throughout the [Universal Credit IT] Programme and publicly”.

It’s the first authoritative confirmation by the DWP that it has not always been open and honest when dealing with the media on the state of the Universal Credit IT programme.

FOI tribunal grants request to publish DWP's written submission

FOI tribunal grants request to publish DWP’s written submission

According to the DWP submission, senior officials on the Programme became so concerned about leaks that a former member of the security services was brought in to lead an investigation. DWP staff and managers were the subjects of “detailed interviews”. Employee emails were “reviewed”, as were employee access rights to shared electronic areas.

Staff became “paranoid” about accidentally leaving information on a printer. Some of the high-security measures appear still to be in place.

Unpublished until now, the DWP’s written legal submission referred, in part, to the effects on employees of leak investigations.

The submission was among the DWP’s written evidence to an FOI Tribunal in February 2016.

The Government Legal Service argued that the DWP’s written evidence was for the purposes of the tribunal only. It should not be published or passed to an MP.

The Legal Service went further: it questioned the right of an FOI Tribunal to decide on whether the submission could be published. Even so a judge has ruled that the DWP’s written evidence to the tribunal can be published.

Excerpts from the submission are here.

Analysis and Comment

The DWP’s submission gives a unique glimpse into day-to-day life and corporate sensitivities at or near the top of the Universal credit IT programme.

It reveals the lengths to which senior officials were willing to go to stop any authoritative “bad news” on the Universal Credit IT programme leaking out. Media speculation DWP’s senior officials do not seem to mind. What appears to concern them is the disclosure of any credible internal information on how things are progressing on Universal Credit IT.

Confidential

Despite multiple requests from IT suppliers, former government CIOs and MPs, for Whitehall to publish its progress reports on big IT-based change programmes (some examples below), all central departments keep them confidential.

That sensitivity has little to do with protecting personal data.

It’s likely that reviews of projects are kept confidential largely because they could otherwise expose incompetence, mistakes, poor decisions, risks that are likely to materialise, large sums that have been wasted or, worst of all, a project that should have been cancelled long ago and possibly re-started, but which has been kept going in its original form because nobody wanted to own up to failure.

Ian watmore front cover How to fix government IROn this last point, former government CIO and permanent secretary Ian Watmore spoke to MPs in 2009 about how to fix government IT. He said,

“An innovative organisation tries a lot of things and sometimes things do not work. I think one of the valid criticisms in the past has been when things have not worked, government has carried on trying to make them work well beyond the point at which they should have been stopped.”

Individual accountability for failure?

Oblivious to MPs’ requests to publish IT progress reports, the DWP routinely refuses FOI requests to publish IT progress reports, even when they are several years old, even though by then officials and ministers involved will probably have moved on. Individual accountability for failure therefore continues to be non-existent.

Knowing this, MPs on two House of Commons select committees, Public Accounts and Work and Pensions, have called for the publication of reports such as “Gateway” reviews.

This campaign for more openness on government IT projects has lasted nearly three decades. And still Whitehall never publishes any contemporaneous progress reports on big IT programmes.

It took an FOI campaigner and IT projects professional John Slater [@AmateurFOI] three years of legal proceedings to persuade the DWP to release some old reports on the Universal Credit IT programme (a risk register, milestone schedule and issues log). And he had the support of the Information Commissioner’s legal team.

universal creditWhen the DWP reluctantly released the 2012 reports in 2016 – and only after an informal request by the then DWP secretary of state Stephen Crabb – pundits were surprised at how prosaic the documents were.

Yet we now know, thanks to the DWP’s submission, the lengths to which officials will go to stop such documents leaking out.

Understandable?

Some at the DWP are likely to see the submission as explaining some of understandable measures any government department would take to protect sensitive information on its largest project, Universal Credit. The DWP is the government largest department. It runs some of the world’s biggest IT systems. It possesses personal information on nearly everyone in Britain. It has to make the protection of its information a top priority.

Others will see the submission as proof that the DWP will do all it can to honour a decades-old Whitehall habit of keeping bad news to itself.

Need for openness

It’s generally accepted that success in running big IT-enabled change programmes requires openness – with staff and managers, and with external organisations and agencies.

IT-based change schemes are about solving problems. An introspective “good news only” culture may help to explain why the DWP has a poor record of managing big and successful IT-based projects and programmes. The last time officials attempted a major modernisation of benefit systems in the 1990s – called Operational Strategy – the costs rose from £713m to £2.6bn and the intended objective of joining up the IT as part of a “whole person” concept, did not happen.

Programme papers“watermarked”

The DWP’s power, mandate and funding come courtesy of the public. So do officials, in return, have the right to keep hidden mistakes and flawed IT strategies that may lead to a poor use – or wastage – of hundreds of millions of pounds, or billions?

The DWP’s submission reveals that recommendations from its assurance reports (low-level reports on the state of the IT programme including risks and problems) were not circulated and a register was kept of who had received them.

Concern over leaks

The submission said that surveys on staff morale ceased after concerns about leaks. IT programme papers were no longer sent electronically and were delivered by hand. Those that were sent were “double-enveloped” and any that needed to be retained were “signed back in”. For added security, Universal Credit programme papers were watermarked.

When a former member of the security services was brought in to conduct a leaks investigation, staff and mangers were invited by the DWP’s most senior civil servant to “speak to the independent investigator if they had any information”. This suggests that staff were expected to inform on any suspect colleagues.

People “stopped sharing comments which could be interpreted as criticism of the [Universal Credit IT] Programme,” said the submission. “People became suspicious of their colleagues – even those they worked closely with.

“There was a lack of trust and people were very careful about being honest with their colleagues…

“People felt they could no longer share things with colleagues that might have an honest assessment of difficulties or any negative criticism – many staff believed the official line was, ‘everything is fine’.

“People, even now, struggle to trust colleagues with sensitive information and are still fearful that anything that is sent out via email will be misused.

“For all governance meetings, all documents are sent out as password protected, with official security markings included, whether or not they contain sensitive information.”

“Defensive”

dwpLines to take with the media were added to a “Rolling Brief”, an internal update document, that was circulated to senior leaders of the Universal Credit IT programme, the DWP press office and special advisors.

These “lines to take” were a “defensive approach to media requests”. They emphasised the “positive in terms of progress with the Programme without acknowledging the issues identified in the leaked stories”.

This positive approach to briefing and media management “led to a lack of candour and honesty through the Programme and publically …”

How the DWP’s legal submission came about is explained in this separate post.

Were there leaks of particularly sensitive information?

It appears not. The so-called leaks revealed imperfections in the running of the Universal Credit programme; but there was no personal information involved. Officials were concerned about the perceived leak of a Starting Gate Review to the Telegraph (although the DWP had officially lodged the review with the House of Commons library).

The DWP also mentioned in its statement a leak to the Guardian of the results of an internal “Pulse” survey of staff morale – although it’s unclear why the survey wasn’t published officially given its apparent absence of sensitive commercial, personal, corporate or governmental information.

NPfIT

The greater the openness in external communications, the less likely a natural scepticism of new ways of working will manifest in a distrust of the IT programme as a whole.

The NHS’s National Programme for IT (NPfIT) – then the UK’s biggest IT programme costing about £10bn – was dismantled in 2011 after eight fraught years. One reason it was a disaster was the deep distrust of the NPfIT among clinicians, hospital technologists, IT managers, GPs and nurses. They had listened with growing scepticism to Whitehall’s oft-repeated “good news” announcements.

Ex-Government CIO wanted more openness on IT projects

When MPs have asked the DWP why it does not publish reports on the progress of IT-enabled projects, it has cited “commercial confidentiality”.

But in 2009, Ian Watmore (the former Government CIO) said in answer to a question by Public Account Committee MP Richard Bacon that he’d endorse the publication of Gateway reviews, which are independent assessments of the achievements, inadequacies, risks, progress and challenges on risky IT-based programmes.

“I am with you in that I would prefer Gateway reviews to be published because of the experience we had with capability reviews (published reports on a department’s performance). We had the same debate (as with Gateway reviews) and we published them. It caused furore for a few weeks but then it became a normal part of the furniture,” said Watmore.

Capability reviews are no longer published. The only “regular” reports of Whitehall progress with big IT programmes are the Infrastructure and Projects Authority’s annual reports. But these do not include Gateway reviews or other reports on IT projects and programmes. The DWP and other departments publish only their own interpretations of project reviews.

In the DWP’s latest published summary of progress on the Universal Credit IT programme, dated July 2016, the focus is on good news only.

But this creates a mystery. The Infrastructure and Projects Authority gave the Universal Credit programme an “amber” rating in its annual report which was published this month. But neither the DWP nor the Authority has explained why the programme wasn’t rated amber/green or green.

MPs and even IT suppliers want openness on IT projects

Work and Pensions Committee front coverIn 2004 HP, the DWP’s main IT supplier, told a Work and Pensions Committee inquiry entitled “Making IT work for DWP customers” in 2004 that “within sensible commercial parameters, transparency should be maintained to the greatest possible extent on highly complex programmes such as those undertaken by the DWP”.

The Work and Pensions Committee spent seven months investigating IT in the DWP and published a 240-page volume of oral and written in July 2004. On the matter of publishing “Gateway” reviews on the progress or otherwise of big IT projects, the Committee concluded,

“We found it refreshing that major IT suppliers should be content for the [Gateway] reviews to be published. We welcome this approach. It struck us as very odd that of all stakeholders, DWP should be the one which clings most enthusiastically to commercial confidentiality to justify non-disclosure of crucial information, even to Parliament.”

The Committee called for Gateway reviews to be published. That was 12 years ago – and it hasn’t happened.

Four years later the Committee found that the 19 most significant DWP IT projects were over-budget or late.

DWP headline late and over budget

In 2006 the National Audit Office reported on Whitehall’s general lack of openness in a report entitled “Delivering successful IT-enabled business change”.

The report said,

“The Public Accounts Committee has emphasised frequently the need for greater transparency and accountability in departments’ performance in managing their programmes and projects and, in particular, that the result of OGC Gateway Reviews should be published.”

But today, DWP officials seem as preoccupied as ever with concealing bad news on their big IT programmes including Universal Credit.

The costs of concealment

The DWP has had important DWP project successes, notably pension credits, which was listed by the National Audit Office as one of 24 positive case studies.

But the DWP has also wasted tens of millions of pounds on failed IT projects.

Projects with names such as “Camelot” [Computerisation and Mechanisation of Local Office Tasks] and Assist [Analytical Services Statistical Information System) were cancelled with losses of millions of pounds. More recently the DWP has run into problems on several big projects.

“Abysmal”

On 3 November 2014 the then chairman of the Public Accounts Committee Margaret Hodge spoke on Radio 4’s Analysis of the DWP’s ‘abysmal’ management of IT contracts.”

1984

As long ago as 1984, the House of Commons Public Accounts Committee called for the civil service to be more open about its progress on major computer projects.

Today there are questions about whether the Universal Credit IT will succeed. Hundreds of millions has already been spent. Yet, as mentioned earlier, current information on the progress of the DWP’s IT programmes remains a state secret.

It’s possible that progress on the Universal Credit IT programme has been boosted by the irregular (but thorough) scrutiny by the National Audit Office. That said, as soon as NAO reports on Universal Credit are published, ministers and senior officials who have seen copies in advance routinely dismiss any criticisms as retrospective and out-of-date.

Does it matter if the DWP is paranoid about leaks?

A paper published in 2009 looks at how damaging it can be for good government when bureaucracies lack internal challenge and seek to impose on officials a “good news” agenda, where criticism is effectively prohibited.

The paper quoted the then Soviet statesman Mikhail Gorbachev as saying, in a small meeting with leading Soviet intellectuals,

“The restructuring is progressing with great difficulty. We have no opposition party. How then can we control ourselves? Only through criticism and self-criticism. Most important: through glasnost.”

Non-democratic regimes fear a free flow of information because it could threaten political survival. In Russia there was consideration of partial media freedom to give incentives to bureaucrats who would otherwise have no challenge, and no reason to serve the state well, or avoid mistakes.

The Chernobyl nuclear disaster, which occurred on April 26, 1986, was not acknowledged by Soviet officials for two days, and only then after news had spread across the Western media.

The paper argued that a lack of criticism could keep a less democratic government in power. But it can lead to a complacency and incompetence in implementing policy that even a censored media cannot succeed in hiding.

As one observer noted after Chernobyl (Methvin in National Review, Dec. 4, 1987),

“There surely must be days—maybe the morning after Chernobyl—when Gorbachev wishes he could buy a Kremlin equivalent of the Washington Post and find out what is going on in his socialist wonderland.”

Red team

Iain DuncanSmithA lack of reliable information on the state of the Universal Credit IT programme prompted the then secretary of state Iain Duncan Smith to set up his own “red team” review.

That move was not known about at the time. Indeed in December 2012 – at a point when the DWP was issuing public statements on the success of the Universal Credit Programme – the scheme was actually in trouble. The DWP’s legal submission said,

“In summary we concluded (just before Christmas 2012) that the IT system that had been developed for the launch of UC [Universal Credit] had significant problems.”

One wonders whether DWP civil servants kept Duncan Smith in the dark because they themselves had not been fully informed about what was going on, or because they thought the minister was best protected from knowing what was going on, deniability being one key Whitehall objective.

But in the absence of reliable internal information a political leader can lose touch completely, said the paper on press freedom.

“On December 21, 1989, after days of local and seemingly limited unrest in the province of Timi¸ Ceausescu called for a grandiose meeting at the central square of Bucharest, apparently to rally the crowds in support of his leadership. In a stunning development, the meeting degenerated into anarchy, and Ceausescu and his wife had to flee the presidential palace, only to be executed by a firing squad two days later.”

Wrong assumptions

Many times, after the IT media has published articles on big government IT-based project failures, TV and radio journalists have asked to what extent the secretary of state was responsible and why he hadn’t acted to stop millions of pounds being wasted.

But why do broadcast journalists assume ministers control their departments? It is usually more likely that ministers know little about the real risks of failure until it is too late to act decisively.

Lord Bach, a minister at DEFRA, told a House of Commons inquiry in 2007 into the failure of the IT-based Single Payment Scheme that he was aware of the risks but still officials told him that systems would work as planned and farmers would receive payments on time. They didn’t. Chaos ensued.

Said Lord Bach,

“I do think that, at the end of the day, some of the advice that I received from the RPA [Rural Payments Agency] was over-optimistic.”

Lord WhittyAnother DEFRA minister at the time Lord Whitty, who was also party in charge of the Single Payment Scheme, told the same inquiry,

“Perhaps I ought also to say that this was the point at which I felt the advice I was getting was most misleading, and I have used the term ‘misleading’ publicly but I would perhaps prefer to rephrase that in the NAO terms …”

Even the impressive Stephen Crabb – who has now quit as DWP secretary of state – didn’t stand much of chance of challenging his officials. The department’s contracts, IT and other affairs, are so complex and complicated – there are bookcases full of rules and regulations on welfare benefits – that any new ministers soon find themselves overwhelmed with information and complexity.

They will soon realise they are wholly dependent on their officials; and it is the officials who decide what to tell the minister about internal mistakes and bad decisions. Civil servants would argue that ministers cannot be told everything or they would be swamped.

But the paper on press freedom said that in order to induce high effort within a bureacucracy, the leader needs “verifiable information on the bureaucrats’ performance”.

The paper made a fascinating argument that the more complacent the bureaucracy, the more aggressively it would control information. Some oil-rich countries, said the paper, have less media freedom than those with scarcer resources.

“Consistent with our theory, [some] non-democratic countries … have vast resources and poor growth performance, while the Asian tigers (South Korea, Taiwan, Hong Kong, and Singapore), while predominantly non-democratic in the 1970s and 1980s, have high growth rates and scarce natural resource.”

In an apparent opening up of information, the government in China passed a law along the lines of the U.S. Freedom of Information Act (“China Sets Out to Cut Secrecy, but Laws Leave Big Loopholes,” New York Times, Apr. 25, 2007). But was this law self-serving? It, and the launch of local elections, provided the central government with relatively reliable information on the performance of provincial bosses.

These stories from less democratic countries may be relevant in Britain because politicians here, including secretaries of state, seem to be the last to know when a big IT-based programme is becoming a disaster.

Bad news

Whtehall’s preoccupation with “good news only” goes well beyond the DWP.

T auditors Arthur D Little, in a forensic analysis of the delays, cost over-runs and problems on the development of a huge air traffic control IT project for National Air Traffic Services, whose parent was then the Civil Aviation Authority, which was part of the Department for Transport, referred to an “unwillingness to face up to and discuss bad news”.

Ministers helpless to force openness on unwilling officials?

Francis Maude came to the Cabinet Office with a reforming zeal and a sophisticated agenda for forcing through more openness, but the effects of his efforts began to evaporate as soon as he left office. Even when he was at the height of his power and influence, he was unable to persuade civil servants to publish Gateway reviews, although he’d said when in opposition that he intended to publish them.

His negotiations ended with central departments agreeing to publish only the “traffic light” status of big projects – but only after a minimum delay of at least six months. In practice the delay is usually a year or more.

Brexit

Brexit campaigners argue that the EC is undemocratic, that decisions are taken in Brussels in secret by unelected bureaucrats. But the EC is at least subject to the scrutiny, sometimes the competing scrutiny, of 29 countries.

Arguably Whitehall’s departments are also run by unelected bureaucrats who are not subject to any effective scrutiny other than inspections from time to time of the National Audit Office.

Yes Minister parodied Sir Humphrey’s firm grip on what the public should and should not be told. Usually his recommendation was that the information should be misleadingly reassuring. This was close enough to reality to be funny. And yet close enough to reality to be serious as well. It revealed a fundamental flaw in democracy.

Nowhere is that flaw more clearly highlighted than in the DWP’s legal submission. Is it any surprise that the DWP did not want the submission published?

If officials had the choice, would they publish any information that they did not control on any of their IT projects and programmes?

That’s where the indispensable work of the National Audit Office comes into the picture – but it alone, even with the help of the Public Accounts Committee, cannot plug the gaping hole in democracy that the DWP’s submission exposes.

These are some thoughts I am left with after reading the legal submission in the light of the DWP’s record on the management of IT-based projects …

  • Press freedom and the free flow of information cannot be controlled in a liberal democracy. But does Whitehall have its own subtle – and not so subtle – ways and means?
  • In light of the DWP’s track record, the public and the media are entitled to distrust whatever ministers and officials say publicly about their own performance on IT-related programmes, including Universal Credit.
  • More worryingly, would the DWP’s hierarchy care a jot if the media and public didn’t believe what the department said publicly about progress on big projects such as Universal Credit?
  • Is the DWP’s unofficial motto: Better to tell a beautiful lie than an ugly truth?
  • AL Kennedy mentioned the “botched” Universal Credit programme  when she gave a “point of view” on Radio 4 last week. Not referring specifically to Universal Credit she said facts can be massaged but nature can’t be fooled. A girder that won’t hold someone’s weight is likely to fail however many PR-dominated assurance reports have gone before. “Facts are uncompromising and occasionally grim. I wish they weren’t. Avoiding them puts us all at increased risk,” she said.

 Excerpts from the DWP submission

Some Twitter comments on this post:

tweet2

tweet3

tweet

tweet4

Aspire: eight lessons from the UK’s biggest IT contract

By Tony Collins

How do you quit a £10bn IT contract in which suppliers have become limbs of your organisation?

Thanks to reports by the National Audit Office, the questioning of HMRC civil servants by the Public Accounts Committee, answers to FOI requests, and job adverts for senior HMRC posts, it’s possible to gain a rare insight into some of the sensitive commercial matters that are usually hidden when the end of a huge IT contract draws closer.

Partly because of the footnotes, the latest National Audit Office memorandum on Aspire (June 2016) has insights that make it one of the most incisive reports it has produced on the department’s IT in more than 30 years.

Soaring costs?

Aspire is the government’s biggest IT-related contract. Inland Revenue, as it was then, signed a 10-year outsourcing deal with HP (then EDS) in 1994, and transferred about 2,000 civil servants to the company. The deal was expected to cost £2bn over 10 years.

After Customs and Excise, with its Fujitsu VME-based IT estate, was merged with Inland Revenue’s in 2005, the cost of the total outsourcing deal with HP rose to about £3bn.

In 2004 most of the IT staff and HMRC’s assets transferred to Capgemini under a contract known as Aspire – Acquiring Strategic Partners for Inland Revenue. Aspire’s main subcontractors were Accenture and Fujitsu.

In subsequent years the cost of the 10-year Aspire contract shot up from about £3bn to about £8bn, yielding combined profits to Capgemini and Fujitsu of £1.2bn – more than double the £500m originally modelled. The profit margin was 15.8% compared to 12.3% originally modelled.

The National Audit Office said in a report on Aspire in 2014 that HMRC had not handled costs well. The NAO now estimates the cost of the extended (13-year) Aspire contract from 2004 to 2017 to be about £10bn.

Between April 2006 and March 2014, Aspire accounted for about 84% of HMRC’s total spending on technology.

Servers that typically cost £30,000 a year to run under Aspire – and there are about 4,000 servers at HMRC today – cost between £6,000 when run internally or as low as £4,000 a year in the commodity market.

How could the Aspire spend continue – and without a modernisation of the IT estate?

A good service

HMRC has been generally pleased with the quality of service from Aspire’s suppliers.  Major systems have run with reducing amounts of downtime, and Capgemini has helped to build many new systems.

Where things have gone wrong, HMRC appears to have been as much to blame as the suppliers, partly because development work was hit routinely by a plethora of changes to the agreed specifications.

Arguably the two biggest problems with Aspire have been cost and lack of control.  In the 10 years between 2004 and 2014 HMRC paid an average of £813m a year to Aspire’s suppliers.  And it paid above market rates, according to the National Audit Office.

By the time the Cabinet Office’s Efficiency and Reform Group announced in 2014 that it was seeking to outlaw “bloated and wasteful” contracts, especially ones over £100m, HMRC had already taken steps to end Aspire.

It decided to break up its IT systems into chunks it could manage, control and, to some extent, commoditise.

HMRC’s senior managers expected an end to Aspire by 2017. But unexpected events at the Department for Work and Pensions put paid to HMRC’s plan …

Eight lessons from Aspire

1. Your IT may not be transformed by outsourcing.  That may be the intention at the outset. But it didn’t happen when Somerset County Council outsourced IT to IBM in 2007 and it hasn’t happened in the 12 years of the Aspire contract.

 “The Aspire contract has provided stable but expensive IT systems. The contract has contributed to HMRC’s technology becoming out of date,” said the National Audit Office in its June 2016 memorandum.

Mark DearnleyAnd Mark Dearnley, HMRC’s Chief Digital Information Officer and main board member, told the Public Accounts Committee last week,

“Some of the technology we use is definitely past its best-before date.”

2. You won’t realise how little you understand your outsourced IT until you look at ending a long-term deal.

Confidently and openly answering a series of trenchant questions from MP Richard Bacon at last week’s Public Accounts Committee hearing, Dearnley said,

“It’s inevitable in any large black box outsourcing deal that there are details when you get right into it that you don’t know what’s going on. So yes, that’s what we’re learning.”

3. Suppliers may seem almost philanthropic in the run-up to a large outsourcing deal because they accept losses in the early part of a contract and make up for them in later years.

Dearnley said,

“What we are finding is that it [the break-up of Aspire] is forcing us to have much cleaner commercial conversations, not getting into some of the traditional arrangements.

” If I go away from Aspire and talk about the typical outsourcing industry of the last ten years most contracts lost money in their first few years for the supplier, and the supplier relied on making money in the later years of the contract.

“What that tended to mean was that as time moved on and you wanted to change the contract the supplier was not particularly incented to want to change it because they wanted to make their money at the end.

“What we’re focusing on is making sure the deals are clean, simple, really easy to understand, and don’t mortgage the future and that we can change as the environment evolves and the world changes.”

4. If you want deeper-than-expected costs in the later years of the contract, expect suppliers to make up the money in contract extensions.

Aspire was due originally to end in 2004. Then it went to 2017 after suppliers negotiated a three-year extension in 2007. Now completion of the exit is not planned until 2020, though some services have already been insourced and more will be over the next four years.

The National Audit Office’s June 2016 memorandum reveals how the contract extension from 2017 to 2020 came about.

HMRC had a non-binding agreement with Capgemini to exit from all Aspire services by June 2017. But HMRC had little choice but to soften this approach when Capgemini’s negotiating position was unexpectedly strengthened by IT deals being struck by other departments, particularly the Department for Work and Pensions.

Cabinet Office “red lines” said that government would not extend existing contracts without a compelling case. But the DWP found that instead of being able to exit a large hosting contract with HP in February 2015 it would have to consider a variation to the contract to enable a controlled disaggregation of services from February 2015 to February 2018.

When the DWP announced it was planning to extend its IT contract with its prime supplier HP Enterprise, HMRC was already in the process of agreeing with Capgemini the contract changes necessary to formalise their agreement to exit the Aspire deal in 2017.

“Capgemini considered that this extension, combined with other public bodies planning to extend their IT contracts, meant that the government had changed its position on extensions…

“Capgemini therefore pushed for contract extensions for some Aspire services as a condition of agreeing to other services being transferred to HMRC before the end of the Aspire contract,” said the NAO’s June 2016 memo.

5. It’s naïve to expect a large IT contract to transfer risks to the supplier (s).

At last week’s Public Accounts Committee hearing, Richard Bacon wanted to know if HMRC was taking on more risk by replacing the Aspire contract with a mixture of insourced IT and smaller commoditised contracts of no more than three years. Asked by Bacon whether HMRC is taking on more risk Dearnley replied,

“Yes and no – the risk was always ours. We had some of it backed of it backed off in contract. You can debate just how valuable contract backing off is relative to £500bn (the annual amount of tax collected).  We will never back all of that off. We are much closer and much more on top of the service, the delivery, the projects and the ownership (in the gradual replacement of Aspire).”

6. Few organisations seeking to end monolithic outsourcing deals will have the transition overseen by someone as clear-sighted as Mark Dearnley.

His plain speaking appeared to impress even the chairman of the Public Accounts Committee Meg Hillier who asked him at the end of last week’s hearing,

Meg Hillier

Meg Hillier

“And what are your plans? One of the problems we often see in this Committee is people in very senior positions such as yours moving on very quickly. You have had a stellar career in the private sector…

“We hope that those negotiations move apace, because I suspect – and it is perhaps unfair to ask Mr Dearnley to comment – that to lose someone senior at this point would not be good news, given the challenges outlined in the [NAO] Report,” asked Hillier.

Dearnley then gave a slightly embarrassed look to Jon Thomson, HMRC’s chief executive and first permanent secretary. Dearnley replied,

“Jon and I are looking at each other because you are right. Technically my contract finishes at the end of September because I was here for three years. As Jon has just arrived, it is a conversation we have just begun.”

Hiller said,

“I would hope that you are going to have that conversation.”

Richard Bacon added,

“Get your skates on, Mr Thompson; we want to keep him.”

Thompson said,

“We all share the same aspiration. We are in negotiations.”

7. Be prepared to set aside millions of pounds – in addition to the normal costs of the outsourcing – on exiting.

HMRC is setting aside a gigantic sum – £700m. Around a quarter of this, said the National Audit Office, is accounted for by optimism bias. The estimates also include costs that HMRC will only incur if certain risks materialise.

In particular, HMRC has allowed around £100m for the costs of transferring data from servers currently managed by Aspire suppliers to providers that will make use of cloud computing technology. This cost will only be incurred if a second HMRC programme – which focuses on how HMRC exploits cloud technology – is unsuccessful.

Other costs of the so-called Columbus programme to replace Aspire include the cost of buying back assets, plus staff, consultancy and legal costs.

8. Projected savings from quitting a large contract could dwarf the exit costs.

HMRC has estimated the possible minimum and possible maximum savings from replacing Aspire. Even the minimum estimated savings would more than justify the organisational time involved and the challenge of building up new corporate cultures and skills in-house while keeping new and existing services running smoothly.

By replacing Aspire and improving the way IT services are organised and delivered, HMRC expects to save – each year – about £200m net, after taking into account the possible exit costs of £700m.

The National Audit Office said most of the savings are calculated on the basis of removing supplier profit margins and overheads on services being brought in-house, and reducing margins on other services from contract changes.

Even if the savings don’t materialise as expected and costs equal savings the benefits of exiting are clear. The alternative is allowing costs to continue to soar while you allow the future of your IT to be determined by what your major suppliers can or will do within reasonable cost limits.

Comment

HMRC is leading the way for other government departments, councils, the police and other public bodies.

Dearnley’s approach of breaking IT into smaller manageable chunks that can be managed, controlled, optimised and to some extent commoditised is impressive.  On the cloud alone he is setting up an internal team of 50.

In the past, IT empires were built and retained by senior officials arguing that their systems were unique – too bespoke and complex to be broken up and treated as a commodity to be put into the cloud.

Dearnley’s evidence to the Public Accounts Committee exposes pompous justifications for the status quo as Sir Humphrey-speak.

Both Richard Feynman and Einstein said something to the effect that the more you understand a subject, the simpler you can explain it.

What Dearnley doesn’t yet understand about the HMRC systems that are still run by Capgemini he will doubtless find out about – provided his contract is renewed before September this year.

No doubt HMRC will continue to have its Parliamentary and other critics who will say that the risks of breaking up HMRC’s proven IT systems are a step too far. But the risks to the public purse of keeping the IT largely as it is are, arguably, much greater.

The Department for Work and Pensions has proved that it’s possible to innovate with the so-called digital solution for Universal Credit, without risking payments to vulnerable people.

If the agile approach to Universal Credit fails, existing benefit systems will continue, or a much more expensive waterfall development by the DWP’s major suppliers will probably be used instead.

It is possible to innovate cheaply without endangering existing tax collection and benefit systems.

Imagine the billions that could be saved if every central government department had a Dearnley on the board. HMRC has had decades of largely negative National Audit Office reports on its IT.  Is that about to change?

Update:

This morning (22 June 2016) on LinkedIn, management troubleshooter and board adviser Colin Beveridge wrote,

“Good analysis of Aspire and outsourcing challenges. I have seen too many business cases in my career, be they a case for outsourcing, provider transition or insourcing.

“The common factor in all the proposals has been the absence of strategy end of life costs. In other words, the eventual transition costs that will be incurred when the sourcing strategy itself goes end of life. Such costs are never reflected in the original business case, even though their inevitability will have an important impact on the overall integrity of the sourcing strategy business case.

“My rule of thumb is to look for the end of strategy provision in the business case, prior to transition approval. If there is no provision for the eventual sourcing strategy change, then expect to pay dearly in the end.”

June 2016 memorandum on Aspire – National Audit Office

Dearney’s evidence to the Public Accounts Committee

Crabb’s momentous FOI decision on Universal Credit IT?

By Tony Collins

Some of the DWP legal "bundles" in its protracted and pointless FOI case to try and stop Universal Credit reports being released.

Some of the DWP legal “bundles” in its protracted and pointless FOI case to try and stop Universal Credit reports being released.

Stephen Crabb, the new DWP secretary of state who replaces IDS, has started to make a difference.

On 3 April 2016 the Sunday Times reported that Crabb had ordered officials to stop refusing FOI requests and come clean with him and the public about problems on the Universal Credit programme.

Five days later (8 April 2016) the DWP released three reports under FOI on the Universal Credit programme: a risk register, an issues register and a Major Projects Authority project assessment review.

DWP FOI bundles2

The DWP fought for years at FOI tribunals and appeal hearings to stop the reports being published. Officials were expected to instigate a further appeal after an FOI tribunal ruled last month that the reports be published.

But it now appears that Stephen Crabb refused to sign off further public money for an appeal and officials were left with little choice but to release the reports.

The reports show the extent to which the DWP was economical with the truth in its self-praising departmental press releases and ministerial statements on the state of the Universal Credit programme in 2012 and 2013.

Trust

Indeed, how can we trust any DWP press statement on Universal Credit given that officials are still keeping hidden from Parliament and the public the risk registers, issues registers and project assessment reviews carried out on the UC programme since 2012.

Stephen Crabb

Stephen Crabb

Crabb’s appointment and the release of the three reports dated 2011 and 2012 are, from an FOI point of view, a good start.

But will the DWP become more open in the future about the state of its big IT-enabled change programmes?

Probably not. In a statement to Computer Weekly last week, a DWP spokesperson dismissed the released reports as “nearly five years old and out-of-date” and went on to praise the Universal Credit programme (which involves a waterfall approach and separate much cheaper, and to some extent competing, agile-based project).

This statement suggests that the DWP’s “no bad news” culture is still pervasive; that it is prepared to denigrate its own reports as out of date when they convey messages that conflict with officialdom’s good news culture.

A mass of DWP paperwork and legal bundles on the FOI appeals and hearings related to the documents show how earnest were the reasons for the DWP’s refusal to release the reports until this month.

It is likely that Crabb personally ordered their release. But, probably unknown to Crabb, the DWP has just refused an FOI request to release an Integrated Assurance and Approval Plan (IAAP) on the Universal Credit programme.

IT projects professional John Slater had requested the IAAP. He’d also made the original request for the UC risk register and issues register, and had campaigned long and hard for their release.

Some people may be surprised by the DWP’s refusal to release the IAAP, given that it is another very old Universal Credit report, dating back to the start of the programme. It may even pre-date the released risk register, issues register and project assessment review.

But the IAAP’s release could embarrass the DWP. IAAPs have been mandatory for all major projects since 1 April 2011. They show how well officials have planned a project or programme.

UC assumptions

The Treasury will not normally approve funding without a satisfactory IAAP. It is likely the DWP made a range of over-optimistic assumptions about the UC roll-out in its IAAP.

The DWP’s refusal to release it was under section 36 of FOI legislation. This requires sign off by a minister. In this case it is likely to have been signed off by Lord Freud, the welfare and pensions minister.

He was the minister who originally refused the FOI requests for the Universal Credit risk register, issues register, milestone schedule and project assessment review.

It is unlikely that Crabb knows anything about Slater’s request for the IAAP.

No Whitehall department has yet released contemporaneously – under FOI or outside it – any reports on the performance, progress or otherwise of its big IT-enabled projects or programmes, including Universal Credit.

Arguably it is the continued secrecy on the way officials manage big and costly schemes that contributes more than anything else to the poor record of central government when it comes to understanding and implementing IT-related change.

Out of control?

John Slater said of the released reports,

“Whilst the information disclosed relates to the UCP as it was back in 2012 it is still important and relevant to the programme today.

“The information shows a programme that appears to have been running at breakneck pace and was out of control.

“The normal checks and balances that a professional organisation should have had in place, especially cost control, simply weren’t there. Whilst these problems were recognised in the risks and issues there was no sense that the senior leadership team were willing or able to do anything about them.

“Having read the information it is not a surprise that the Major Projects Authority had no other option but to stop and restart the programme via the now infamous reset.

“The released information also raises questions about the validity of the Universal Credit business case that might explain why it still hasn’t been signed off by the Treasury.”

Comment

Well done to Stephen Crabb. He has given the culture of secrecy at the DWP a gentle shake. But can he make a lasting difference?

As we saw in “Yes Minister” it is difficult for a new minister – or any minister – to have any permanent influence on officialdom. And it remains the case that neither the DWP nor any other department has ever released contemporaneously reports on its own performance or the progress on a big IT-related change programme.

The nearest thing to it is a National Audit Office report, but these are usually retrospective and they are almost always dismissed by departmental press offices and ministers as out of date, whether they are or not.

It is abundantly clear that the DWP is pre-occupied – maybe paranoid – about negative media coverage of the Universal Credit programme.

The same thing happened at the Department of Health over media coverage of the NPfIT NHS IT programme: officials even issued written instructions to NHS staff on the tone of voice they should use with journalists and others when discussing the programme.

Many of the legal reasons the DWP gave to FOI tribunals and appeal judges revolved around the fear of releasing information that could fuel a negative response by the media to the Universal Credit programme.

dwpWhitehall’s war on FOI

Crabb has won an FOI battle but his officials are winning the pro-secrecy war. For Crabb to make a lasting difference he will need to persuade Lord Freud – and any of his successors – of the virtues of openness.

Until officials willingly publish contemporaneous reports on the progress or otherwise of big IT-enabled change programmes, government will probably continue to have a poor record when managing these schemes.

Success in government IT requires openness because IT-enabled projects and programmes are about solving problems; and if the problems cannot be admitted let alone discussed widely they are unlikely to be solved,as we saw with the initial problems on the Universal Credit programme.

Universal Credit involves many external organisations such as local authorities and housing associations. The DWP could start to embrace media coverage as giving healthy challenge to its decisions – challenges that may help to resolve a range of problems that are inevitable when the benefit system is being simplified.

Keeping reports such as the IAAP secret – even after five years – will continue to fuel the internal paranoia against open and constructive debate.

After decades of secrecy over the contemporaneous release of project and performance reports it is time for lasting change.

Universal Credit shows it’s time to make all major government projects open and transparent – Computer Weekly Editor’s Blog.

Judge orders Universal Credit reports must be published – The Register

Victory for campaigners as DWP finally publishes Universal Credit reports – Politics.co.uk

DWP “evasive” and “selective” with information on Universal Credit programme

By Tony Collins

Has the Department for Work and Pensions put itself, to some extent, beyond the scrutiny  of Parliament on the Universal Credit IT programme?

Today’s report of the Public Accounts Committee Universal Credit progress update was drafted by the National Audit Office. All of the committee’s reports are effectively more strongly-worded NAO reports.

If the Department for Work and Pensions cannot be open with its own auditors – the National Audit Office audits the department’s annual accounts – are the DWP’s most senior officials in the happy position of being accountable to nobody on the Universal Credit IT programme?

The National Audit Office and the committee found the Department for Work and Pensions “selective or even inaccurate” when giving some information to the committee.

In answering some questions, the committee found officials “evasive”.

Today’s PAC report says:

“We remain disappointed by the persistent lack of clarity and evasive responses by the Department to our inquiries, particularly about the extent and impact of delays. The Department’s response to the previous Committee’s recommendations in the February 2015 report Universal Credit: progress update do not convince us that it is committed to improving transparency about the programme’s progress.”

On the basis of the limited information supplied by the DWP to Parliament the committee’s MPs believe that the Universal Credit has stabilised and made progress since the committee first reported on the programme in 2013, but there “remains a long way to go”.

So far the roll-out has largely involved the simplest of cases, and the ineligibility list for potential UC claimants is long.  By 10 December 2015, fewer than 200,000 people were on the DWP’s UC “caseload” list.

The actual number could be far fewer because the exact number recorded by the DWP by 10 December 2015 (175, 505)  does not include people whose claims have terminated because they have become ineligible by for example having capital more than £16,000 or earning more so that their benefits are reduced to zero.

The plan is to have more than seven million on the benefit, and the timetable for completion of the roll-out has stretched from 2017 originally to 2021,  although some independent experts believe the roll-out will not complete before 2023.

Meanwhile the DWP appears to be controlling carefully the information it gives to Parliament on progress. The committee accuses the DWP in today’s report of making it difficult for Parliament and taxpayers to hold the department to account. Says the report,

“The programme’s lack of clear and specific milestones creates uncertainty for claimants, advisers, and local authorities, and makes it difficult for Parliament and taxpayers to hold the Department to account.”

These are more excerpts from the report:

“In February 2015 the previous Committee of Public Accounts published Universal Credit: progress update … The Department accepted the Committee’s recommendations.

“However, we felt that the Department’s responses were rather weak and lacked specifics, and we were not convinced that it is committed to ensuring there is real clarity on this important programme’s progress.

“As a result, we recalled both the Department and HM Treasury to discuss a number of issues that concerned us, particularly around the business case, the continuing risks of delay, and the lack of transparency and clear milestones.

“Recommendation: The Department should set out clearly how it is tracking the costs of continuing delays, and who is responsible for ensuring benefits are maximised.

“The Department does not publish accessible information about plans and milestones and we are concerned by the lack of detail in the public domain about its expected progress.

“For proper accountability, this information should be published so that the Committee, the National Audit Office and the general public can be clear about progress…

“… the Department did not acknowledge that the slower roll-out affects two other milestones, because it delays the date when existing claimants start to be moved onto Universal Credit and reduces the number of Universal Credit claimants at the end of 2019.

“The flexible adaptation of milestones to circumstances is sensible, but the Department should be open about when this occurs and what the effects are. Instead, the Department’s continued lack of transparency makes it very difficult for us and the public to understand precisely how its plans are shifting.

“Claimants need to know more than just their benefits will change ‘soon’; local authorities need time to prepare additional support; and advisers need to be able to help people that come to them with concerns…

“Recommendation: By May 2016, the Department should set out and report publicly against a wider set of clearly stated milestones, based on ones it currently uses as internal measures, including plans for different claimant groups, local authority areas and for the development and use of new systems. We have set out the areas we expect these milestones to cover in an appendix to this report…

“The Department was selective or even inaccurate when highlighting the findings of its evaluation to us.”

The DWP has two IT projects to deliver UC, one based on its existing major suppliers delivering systems that integrate the simplest of new claims with legacy IT.

The other and more promising solution is a far cheaper “digital service” that is based on agile principles and is, in effect, entirely new IT that could eventually replace legacy systems. It is on trial in a small number of jobcentres.

The DWP’s slowly slowly approach to roll-out means it is reluctant to publish milestones, and it has reached only an early stage of the business case. The final business case is not expected before 2017 and could be later.

The committee has asked the DWP to be more transparent over the business case. It wants detail on:

  • Projected spending, including both investment and running costs for:
  • Live service (split between ‘staff and non staff costs’ and ‘external supplier costs’)
  • Digital service (split between ‘staff and non staff costs’ and ‘external supplier costs’)
  • Rest of programme (split between ‘staff and non staff costs’ and ‘External supplier costs’)
  • Net benefits realised versus forecasts.

Meanwhile the DWP’s response to those who criticise the slow roll-out is to give impressive statistics on the number of jobcentres now processing UC claims, without acknowledging that nearly all of them are processing only the simplest of claims.

Comment

To whom is the DWP accountable on the Universal Credit IT programme? To judge from today’s report it is not the all-party Public Accounts Committee or its own auditors the National Audit Office.

No government has been willing to force Whitehall departments to be properly accountable for their major IT-enabled projects or programmes. Sir Humphrey remains in control.

The last government with Francis Maude at the helm at the Cabinet Office came close to introducing real reforms (his campaign began too forcefully but settled into a good strategy of pragmatic compromise) but his departure has meant that open government and greater accountability for central departments have drifted into the shadows.

The DWP is not only beyond the ability of Parliament to hold it accountable it is spending undisclosed of public money sums on an FOI case to stop three ageing reports on the Universal Credit IT programme being published. The reports are nearly four years old.

Would that senior officials at the DWP could begin to understand a connection between openness and Lincoln’s famous phrase “government of the people, by the people, for the people”.

Public Accounts Committee report Universal Credit, progress update

DWP gives out “selective” information on welfare reform even to its auditors (a similar story in 2015)

Department for Work and Pensions “evasive” – Civil Service World (This article is aimed at its readers who are mostly civil servants. It is likely it will find favour with senior DWP IT staff who will probably mostly agree with the Public Accounts Committee’s view that the DWP hierarchy is, perhaps because of culture, evasive and selective with the information it gives to Parliament and the public.)

 

Is HMRC spending enough for help to replace £10.4bn Aspire contract?

By Tony Collins

Government Computing reports that HM Revenue and Customs is seeking a partner for a two-year contract, worth £5m to £20m, to help the department replace the Aspire deal which expires in 2017.

HMRC is leading the way for central government by seeking to move away from a 13-year monopolistic IT supply contract, Aspire, which is expected to cost £10.4bn up to 2017.

Aspire’s main supplier is Capgemini.  Fujitsu and Accenture are the main subcontractors.

HMRC says it wants its IT services to be designed around taxpayers rather than its own operations. Its plan is to give every UK taxpayer a personalised digital tax account – built on agile principles – that allows interactions in real-time.

This will require major changes in its IT,  new organisational skills and changes to existing jobs.

HMRC’s officials want to comply with the government’s policy of ending large technology contracts in favour of smaller and shorter ones.

Now the department is advertising for a partner to help prepare for the end of the Aspire contract. The partner will need to help bring about a “culture and people transformation”.

The contract will be worth £5m to £20m, the closing date for bids is 6 July, and the contract start date is 1 September.  A “supplier event” will be held next week.

But is £5m to £20m enough for HMRC to spend on help to replace a £10.4bn contract?

This is the HMRC advert:

“HMRC/CDIO [Chief Digital Information Officer, Mark Dearnley] needs an injection of strategic-level experience and capacity to support people and culture transformation.
“The successful Partner must have experience of managing large post-merger work force integrations, and the significant people and cultural issues that arise. HMRC will require the supplier to provide strategic input to the planning of this activity and for support for senior line managers in delivering it.
“HMRC/CDIO needs an injection of strategic level experience and capacity to help manage the exit from a large scale outsourced arrangement that has been in place for 20+ years.
“HMRC is dependent on its IT services to collect £505bn in tax and to administer £43bn in benefits each year. The successful supplier must have proven experience of working in a multi-supplier environment, working with internal and external legal teams and suppliers and must have a proven track record of understanding large IT business operations.
“HMRC/CDIO needs an injection of strategic level experience and capacity to help HMRC Process Re-engineer and ‘Lean’ its IT operation. HMRC/CDIO requires a Programme Management Office (PMO) to undertake the management aspects of the programme.
“It is envisaged that the Lead Transformation Partner will provide leadership of the PMO and work alongside HMRC employees. The leadership must have significant experience of working in large, dynamic, multi-faceted programmes working in organisations that are of national/international scale and importance including major transformation…”

Replacing Aspire with smaller short-term contracts will require a transfer of more than 2,000 Capgemini staff to possibly a variety of SMEs or other companies, as well as big changes in HMRC’s ageing technologies.

It would be much easier for HMRC’s executives to replace Aspire with another long-term costly contract with a major supplier but officials are committed to fundamental change.

The need for change was set out by the National Audit Office in a report “Managing and replacing the Aspire contract”  in 2014. The NAO found that Capgemini has, in general,  kept the tax systems running fairly well and successfully delivered a plethora of projects. But at a cost.

The NAO report said Aspire was “holding back innovation” in HMRC’s business operations”.

Aspire had made it difficult for HMRC to “get direction or control of its ICT; there was little flexibility to get things done with the right supplier quickly or make greater use of cross-government shared infrastructure and services”. And exclusivity clauses “prevented competition and stifled new ideas”.

Capgemini and Fujitsu made a combined profit of £1.2bn, more than double the £500m envisaged in the original business plan. Profit margins averaged 16 per cent to March 2014, also higher than the original 2004 plan.

HMRC was “overly dependent on the technical capability of the Aspire suppliers”. The NAO also found that HMRC competed only 14 contracts outside Aspire, worth £22m, or 3 per cent of Aspire’s cost.

Although generally pleased with Capgemini,  HMRC raised with Capgemini, during a contract renegotiation, several claimed contract breaches for the supplier’s performance and overall responsiveness.

When benchmarking the price of Aspire services and projects on several occasions, HMRC has found that it has often “paid above-market rates”.

HMRC did not consider that its Fujitsu-run data centres were value for money.

Comment

HMRC deserves credit for seeking to replace Aspire with smaller, short-term contracts. But is it possible that HMRC is spending far too little on help with making the switch?

HMRC doesn’t have a reputation for caution when it comes to IT-related spending.  The total cost of Aspire is expected to rise to £10.4bn by 2017 from an original expected spend of £4.1bn. [The £10.4bn includes an extra £2.3bn for a 3-year contract extension.]

Therefore a spend of £5m to £20m for help to replace Aspire seems ridiculously low given the risks of getting it wrong, the complexities, the number of staff changes involved, the changes in IT architecture, and the legal, commercial and technical capabilities required.

The risks are worth taking, for HMRC to regain full control over ICT and performance of its operations.

If all goes wrong with the replacement of Aspire, costs will continue to spiral. The Aspire contract lets both parties extend it by agreement for up to eight years. HMRC says it does not intend to extend Aspire further. But an overrun could force HMRC to negotiate an extension.

As the NAO has said, an extension would not be value for money, since there would continue to be no competitive pressure.

Campaign4Change has never before accused a government department of allocating too little for IT-related change. There’s always a first time.

Government Computing article

 

HMRC seeks smaller IT contracts – a big risk, but worth taking?

By Tony Collins

Public Accounts Committee MPs today criticise HM Revenue and Customs for not preparing well or quickly enough for a planned switch from one main long-term IT contract to a new model of many short-duration contracts with multiple suppliers.

It’s a big and risky change in IT strategy for HMRC that could put the safe collection of the nation’s taxes at risk, say the MPs in a report “Managing and replacing the Aspire contract”.

But the Committee doesn’t much consider the benefits of switching from one large contract to smaller ones, potentially with SMEs.

Is the risk of breaking up the huge “Aspire” contract with Capgemini, and its subcontractors Fujitsu and Accenture, worth taking?

Suppliers “outmanoeuvre” HMRC

The PAC’s report makes some important points. It says that HMRC has been “outmanoeuvred by suppliers at key moments in the Aspire contract, hindering its ability to get long term value for money”.

The costs of the Aspire deal have soared, in part because of extra work. Before it merged with Customs and Excise, Inland Revenue spent about £200m a year on its IT outsourcing contract with EDS, now HP.  Customs and Excise’s contract with Fujitsu cost about £100m a year.

After the Revenue and Customs merged, and a new deal was signed with Capgemini, the money spent on IT services soared to about £800m a year – arguably out of control.

HM Revenue and Customs spent £7.9bn on the Aspire contract from July 2004 to March 2014, giving a combined profit to Capgemini and Fujitsu of £1.2bn, equal to 16% of the contract value paid to these suppliers.

HMRC considers the contract to have been expensive,  and pressure to find cost savings in the short-term led it to trade away important value for money controls, says the PAC report.

“For example, in a series of disastrous concessions, HMRC  conceded its rights to withdraw activities from Aspire, to benchmark the contract prices against the market to determine whether they were reasonable,” says the report.

“It also gave up  its right to share in any excess profits. In 2007, HMRC negotiated a three-year  extension to the Aspire contract just three years after the contract was let, extending the end of the contract from 2014 to 2017.

“The Department has still not renegotiated the terms of the contract in line with a memorandum of agreement it signed in 2012 designed to separate Capgemini’s role in service provision from its role as service integrator and introduce more competition.”

Big or small IT suppliers?

The Aspire contract between HMRC and Capgemini is the government’s largest
technology contract.  It accounts for for 84% of HMRC’s total spend on ICT.

Today’s report says that Aspire has delivered certainty and continuity over the past decade but HMRC now plans a change in IT strategy in line with the Cabinet Office’s plan to break up monopolistic contracts.

In 2010, the Cabinet Office announced that long-term contracts with one main supplier do not deliver optimal levels of innovation, value for money or pace of change.

In 2014, it announced new rules to limit the value, length and structure of ICT contracts. No contract should exceed £100m and no single supplier should provide both services and systems integration to the same area of government. Existing contracts should not be extended without a compelling case.

The Cabinet Office says that smaller contracts should allow many more companies to bid, including SMEs, and provide an increase in competition.

HMRC agrees. So it doesn’t plan to appoint a single main supplier when Aspire expires in 2017.  But PAC members are worried that the switch to smaller contracts could jeopardize the collection of taxes. Says the PAC report:

“HMRC has made little progress in defining its needs and has still not presented a business case to government. Once funding is agreed, it will have only two years to recruit the skills and procure the services it will need.

“Moreover, HMRC’s record in managing the Aspire contract and other IT contractors gives us little confidence that HMRC can successfully achieve this transition or that it can manage the proposed model effectively to maximise value for money.

“HMRC also demonstrates little appreciation of the scale of the challenge it faces or the substantial risks to tax collection if the transition fails. Failure to collect taxes efficiently would create havoc with the public finances.”

The PAC recommends that HMRC “move quickly to develop a coherent business case, setting out the commercial and operational model it intends to put in place to replace the Aspire contract. This should include a robust transition plan and budget”.

Richard Bacon, a long-standing member of the PAC, said HMRC has yet to produce a detailed business case for the change in IT strategy.

“HMRC faces an enormous challenge in moving to a new contracting model by 2017, with many short-duration contracts with multiple suppliers, and appears complacent given the scale of the transformation required.

“Moreover, HMRC’s record in managing IT contractors gives us little confidence that HMRC can successfully achieve this transition or that it can manage the proposed model effectively to maximise value for money.”

Comment

The PAC has a duty to express its concerns. HMRC needs stable and proven systems to do its main job of collecting taxes. A switch from a single, safe contract with a big supplier to multiple, smaller contracts could be destablizing.

But it needn’t be. The Department for Work and Pensions is making huge IT – and organisational – changes in bringing in Universal Credit. That is a high-risk programme. And at one time it was badly managed, according to the National Audit Office. But the gradual introduction of new systems hasn’t hit the stability of payments to existing DWP claimants.

This is, perhaps,  because the DWP is doing 4 things at once: running existing benefit systems, building something entirely new (the so-called digital service), introducing hybrid legacy/new systems to pay some new claimants Universal Credit, and is asking its staff to do some things manually to calculate UC payments. Expensive – but safe.

The DWP’s mostly vulnerable claimants should continue to be paid whatever happens with the new IT. So the risks of major change within the department are financial. The DWP has written off tens of millions of pounds on the UC programme so far, says the NAO. Many more tens of millions may yet be wasted.

But many regard the risks as worth taking to simplify the benefits system. It could work out a lot cheaper in the end.

At HMRC the potential benefits of a major change in IT strategy are enormous too. Billions more than expected has already been spent on having one main supplier tied into the long-term Aspire contract (13 years).  Isn’t it worth spending a few tens of millions extra running parallel processes and systems during the transition from Aspire to smaller multiple contracts?

It could end up costing much less in the end. And running parallel new and existing systems and processes should ensure the safe collection of taxes.

If government departments are not prepared to take risks they’ll never change – and monolithic contracts and out-of-control costs will continue. Is there anything more risky than for HMRC to stay as it is, locked into Aspire, or a similar long-term commitment?

HMRC not ready to replace £10bn Aspire contract, MPs warn – Computerworld

Taxpayers face havoc from HMRC computer changes – Telegraph