Public Audit and Post-legislative Scrutiny Committee

Meeting date: Thursday, December 3, 2020

Official Report 577KB pdf

---

Managing Information and Communications Technology Projects (Key Audit Themes)

Item 3 is an evidence session as part of our scrutiny of key audit themes, on managing information and communications technology projects. I welcome our witnesses from the Scottish Government, who are participating remotely. Sharon Fairweather is director of internal audit and assurance, Colin Cook is director of digital, and Nick Ford is director of Scottish procurement and property.

I invite Colin Cook to make a brief opening statement.

I thank the committee for such a timely opportunity to discuss how we manage digital and information technology projects across the Scottish Government.

Over the past six months, we have supported more than 15,000 users to work remotely, we have launched a major new initiative to tackle digital exclusion, and we have worked across the public sector to scale old services and spin up new ones. That has proved once and for all, I think, the value of innovation, industry-standard project management techniques and use of modern cloud platforms, which the committee has spoken about on many occasions.

The period has been marked by an extraordinary level of co-operation between the private and public sectors, with offers of direct assistance coming from companies across the country, and individual volunteers coming forward to work as part of the Scottish tech army.

It is against that background that the Scottish Government and local government have come together to launch the consultation that will update our national digital strategy. Part of that strategy will cover the matters that we will discuss today—how we enable digital government, introduce common platforms and achieve best value through our work with the private sector. I hope that, throughout the meeting today, we can test our thinking, identify opportunities for improvement and help to shape what we hope will be a big, bold and transformative approach to building a digital Scotland.

There are three of us here to provide evidence. I am digital director of the Scottish Government—a role that gives me responsibility for digital connectivity, our shared IT service, capability and talent management, data and the support that we provide to the digital transformation agenda. I am also the senior responsible officer for some of, but not all, the major projects on which we recently submitted our update report to the committee.

Joining me today is Sharon Fairweather, who is director of internal audit and assistance. Her team is responsible for implementation of the Scottish Government’s technology assurance framework. Her directorate was expanded back in 2018 in order to bring that office and that responsibility together with internal audit, the portfolio programme and project assurance team, which oversees gateway reviews, and the Scottish Government’s data protection officer.

I am also joined by Nick Ford, who is the recently appointed director of Scottish procurement and property. His role is to lead and deliver public procurement at national level, with a focus on delivering savings, benefits and efficiencies through procurement and contracting. He joined us relatively recently from the United Kingdom Government’s former Department for International Development. We hope that he will be able to bring to bear that experience, and his previous private sector procurement experience, in the discussion today.

Before I bring in Colin Beattie to kick off questioning on the key audit theme work, I want to pick up on the impact that Covid-19 has had on major IT projects. Mr Cook, perhaps I can get a broad indication of the impact from you and your team. I am thinking about the number of projects that have been delayed and what the key issues have been, and whether any projects have been sped up as a result of the Covid-19 work and what impact that has had.

We have seen an extraordinary increase in the number of IT projects. As I mentioned, we have found new ways of partnering with the private sector, with new sources of talent coming to support us. There are many examples of that.

There has not necessarily been a change of direction, but the adoption of IT and its public acceptance has certainly been accelerated. At the same time, we have become much more aware of the dangers and difficulties that come with digital exclusion, so—for example—the connecting Scotland programme has been launched to get equipment and data packages into the hands of individuals who have found themselves excluded.

I might get the figures slightly wrong here, but a good example of how services have been accelerated is the near me service, which provides video consultation appointments with general practitioners. A few months ago, before the pandemic, it was doing about 300 consultations a month; the number has increased to 17,000 consultations. That is an indication of the level of increase in services.

In addition, new services have been developed for getting information that is relevant to the pandemic on to our common platforms, and we are bringing up new customer management databases to deliver new services and support to people who are in risk-management categories.

Overall, the pandemic has been an accelerant. Luckily, IT as an industry, and people within Government who work in IT, can work very effectively from home, and we have managed to do so. For example, over the past few months, the Scottish Government has accelerated roll-out of Microsoft Teams. We brought that programme forward because of the need to work effectively from home and, through fantastic co-operation with the private sector, we have rolled it out to every staff member in the Government.

We are moving very quickly and have accelerated our progress. As we look forward to the national digital strategy, it is pretty clear that it will incorporate new and ambitious programmes of digital reform.

Nick Ford or Sharon Fairweather might add to that.

Within the major projects update there are, as far as we are aware, only two in which there have been conscious delays. The first included some social security programmes; a delay was announced in April so that the social security services could focus on what they needed to do in relation to the pandemic. The other was the census, which has been delayed until 2022; that delay was announced in July.

In all the other projects in which we are involved, there may have been minor delays while organisations have reshaped and realigned themselves with the new ways of working, but as far as we are aware they have all now picked up and are back on track.

Graham Simpson has a supplementary question.

Thanks, convener. I will follow up on the very interesting statistic on the number of video consultations that GPs are doing per month, which sounds like a lot. How many GPs are able to offer that service? Is it 50 per cent, 60 per cent or is it all GPs? I do not imagine that it is all of them.

I am afraid that I do not know the answer to that. I will check the statistic and get back to the committee with that. I am sorry.

You could get back to Mr Simpson on that, or Mr Simpson could submit a parliamentary question to the relevant health minister.

I will go back to the question on delays. It seems that only two major projects were delayed. Has any assessment been made of the financial impact of delays? How much in the way of extra resources has been put into developing IT projects during the Covid-19 pandemic, and will that have a knock-on effect on budgets for IT projects in the future? Sharon Fairweather wants to come in.

I am afraid that I do not have that information available. We can take the question away and ask it. I do not know whether Nick Ford or Colin Cook have any information on that.

Are you saying that you do not have the answer to the first part of the question, the second part of the question or both?

I do not have the answer to either question.

On the projects that have been cited, in particular the census, the delay was not IT driven, but was driven by the fact that it would have been very difficult to conduct a census that had a physical element during the pandemic. The circumstances are similar in relation to social security.

It will take time to assess the additional costs across the range of what we do in the Scottish Government. Speaking for my directorate, I can say that there have not been significant additional Covid-related costs in IT developments. If timetables are pushed back, there is usually an increase in the overall cost. However, in the main, the IT industry in both the public and private sectors has adjusted very well—as we would expect, given the technical capabilities in remote working. We have been able to push things forward without a significant increase in costs.

Throughout the IT project work—in particular, the work that has come to the committee—we have repeatedly seen high-risk IT projects or IT projects that require intervention. Given that staff have rightly been redeployed to other projects or have been given a different focus, is there a risk that IT projects that required greater oversight and management have been neglected, because the people who would do that work have been moved to something else, or are you confident that oversight and management have been done?

As you say, convener, we have redeployed staff to priority projects. My directorate has redeployed many people, particularly to health-based projects. I am not aware that we have increased the vulnerability—if that is the right term—of any significant projects because we have redeployed staff. Senior staff and roles in IT projects have been redeployed, but in the ones that I am aware of, we have made contingency arrangements and have ensured that the projects still have the oversight and leadership that they need to be successful.

Colin Beattie joins us remotely.

Thank you, convener. I would like to look at some of the key audit themes that have been coming up over the years, which have been fairly consistent. There are issues around planning, procurement and tendering processes. We have discussed on several occasions the assurance framework that has been put in place by the Scottish Government to provide oversight of major IT projects.

09:45  

At what point does the Scottish Government become involved in a potential IT project? Is it when it is just an idea or when it becomes more of a possibility, or does there have to be a concrete proposal in place? Where in that process does the Scottish Government come in?

Do you mean when the assurance process starts?

Yes.

I ask Sharon Fairweather to lead on that.

In all major projects, there are four points at which we undertake the major project assurance processes. The first is the business justification stage. The aim of that is to ensure that the project is soundly based at the outset—that it has a robust strategic business case, that it has been adequately scoped and that resourcing and skills are being considered and addressed. The second stage is at pre-procurement, the third is during delivery and the fourth is before the project goes live.

Now that the framework is up and running, we should be getting involved in projects at a really early stage. Gateway reviews should also start at that very early stage. We should be made aware of projects at the initiation stage, so that we can be aligned to do the business justification assurance stage.

How do you define the initiation stage? If I am not interpreting you wrongly, it seems that your first intervention comes when the project is rather more concrete and there is a business plan in place.

That is when the first assurance step comes, but there is a lot of work and information available to projects right from the start, through assignment of a senior responsible officer and all the guidance that is available to the SRO to do the preparatory steps. Once the preparatory steps have been done, we undertake the first assurance step before the project is allowed to develop towards procurement.

It is required that we be informed as soon as a major project goes live within business plans and risk registers. At that point, we must be told about them, so that they hit our major projects update list.

I will add to that from the perspective of someone who is responsible for projects that are assured. When we have a major project—one that is worth more than £5 million and is of real significance—we engage early with the assurance team, because we need to plan for the process of assurance. We need to consider the very act of having a process of assurance right at the beginning, when we are thinking about how we will resource a project and about its timetable. Therefore, right from the beginning and the early stages, there is on-going dialogue to map out the appropriate assurance route for a programme.

I presume that one of the first things that you do is ensure that the public body concerned is completely clear about what the project is trying to achieve, which would also mean realistic timescales and budget. How do you physically engage in that point? A lot of work goes on to get to the point at which there is something concrete in front of you. At what point in that lead-up do you ensure that the body has clarity of thought as to what will be achieved? That seems to have been a problem in a number of projects.

There are various stages. We pick up on major projects through various routes; for example, through internal audit discussions, the general work that we do with directorates, or directorates informing the digital assurance office directly. As soon as we are aware of a project we start, as Colin Cook said, engaging with that project so that it can start planning in assurance processes and is aware of what we will look for when we get to the relevant assurance stages.

Whether we are doing a gateway review or a major framework review, the first stages of assurance assessments are around strategic assessment—if it is a programme—or the strategic business case. That is to ensure that the project is properly set up—that it has capability within the team to deliver what it needs to deliver, and that the team knows what it wants to achieve, the benefits that it wants to achieve, how to go about that and how to engage with users to develop the project. All of the initial governance planning and set-up stage will be assessed as part of the first assessment process. However, as Colin Cook said, we regularly engage with teams during that build-up to provide advice and support on the way.

We recently held a focus group session with IT contractors to hear their views on how the management of IT projects could be improved, and some concerning issues came out of that. They had issues with the procurement process; they felt that, in some cases, out-of-date information was being used and that the tenders for some projects were failing to keep pace with modern procurement processes. How would you respond to that comment? It was a fairly universal view and not just the view of one person.

Nick Ford also wanted to come in on Colin Beattie’s previous question, so I will take Nick Ford before we come to Colin Cook.

Good morning. Thank you for the question. I am recent to the Scottish Government, so I cannot talk about the specifics of the programmes but, in my experience of good procurement—not just in a digital space but generically—it is all about skills and capability, leadership and culture, the process and the governance and having market insight and supplier relationships.

I will touch on those in more detail, which also covers some of the earlier questions. On skills and capabilities, it is about ensuring that the professional experts, who have the deep category experience—in this case in digital—are invested early into the programme team and are working with the programme team. Therefore, we recruit and build capability in that procurement expertise. However, we also build commercial and contract management expertise in the non-procurement experts, such as the SRO and the contract managers. The guidance tells SROs that they need to engage with the professional experts and bring them in at the early design and planning stages. We can talk about some of the work that we have done on that. For example, on the social security programme, we have recruited procurement experts from the Department for Work and Pensions to provide contract management training and SRO training to help ensure that there is greater understanding.

On leadership and culture, the SROs must recognise the importance of bringing professional experts into early phases of the design, so that they can build a culture that welcomes lesson learning and difference of opinion and is open to challenge, in order to avoid the optimism bias. That has come out in a number of reports. We do not want the team to be wearing rose-tinted spectacles, so it is about ensuring that it has professional experts, that it is listening to those voices and is open to challenge. Again, the Scottish Government payment platform is a good example of where the procurement people were brought in right at the start, working with the digital experts and programme managers to develop the plans until we had the right commercial model and terms and conditions, as that has progressed over the life-cycle.

With regard to learning, on the ICT national portfolio forum we have senior leaders and senior procurement experts who look at ICT programmes and come together periodically to learn and share lessons. Audit Scotland has presented at that forum.

It is all about having the right process and governance in place, such as the digital assurance office and the technology assurance framework, which Colin Cook and Sharon Fairweather can talk about. From a procurement perspective, we have the procurement journey, which is a robust, internationally recognised online platform that walks buyers through the procurement phase and provides guidance on best practice throughout that.

The market insight is all about having buyers, experts and digital people who understand the size, complexities, depth and sustainability of the market, and who are highly networked, so they work with other colleagues and build healthy relationships with their suppliers. When we bring all four of those focus areas together, we should avoid some of the pitfalls that have been identified in the reports. I can go into specific detail on any of those areas, if you would like.

One of the reports had a comment about copying and pasting. Without knowing the details, I cannot comment on that but, obviously, we would not recommend doing that. Best practice would be that a procurement expert who is working with the programme would decide on what the right tender package and criteria are, specific to the programme of procurement that is being undertaken. The guidance in our procurement journey platform provides guidance on best practice, and that is what we recommend throughout the process.

Obviously, we have discussed this on a number of occasions, and I, too, saw the feedback from the companies that the committee discussed these issues with.

It is worth saying that, nearly two years ago—in response to discussions like these and the observations of Audit Scotland—we set up the digital commercial service, which is a joint operation between my directorate, which is digital, and Nick Ford’s directorate, which is procurement and property. That is about supporting parts of the Scottish Government to ensure that we engage with the IT world in an appropriate and modern way.

Nick referred to the payments programme that we are working on, which is a good example of that type of working. The programme has involved a much more comprehensive approach to market engagement before we enter the formal procurement process. Market engagement is now tied to specific projects, and that allows industry to bring its thoughts and innovative ideas into a project as part of the procurement journey. That allows us to get away from overspecifying in a particular tender and not allowing for the innovation that can come from the market, which we faced criticism for in the past.

We also engage widely with networks and pools of tech companies to ensure that we promote our opportunities to get involved with public sector procurement. We do that through blog posts and social media, and do not rely only on the standard pin notices. Therefore, it is unfair to say that we are not moving with the times; we have done an awful lot of very innovative things.

At the beginning of the meeting, the convener asked about things that we did differently during Covid. Some innovative procurement exercises have come through during this time. For example, we placed a contract with a local company called SnapDragon to provide rapid, detailed due diligence on non-health personal protective equipment supply chains. The result of that was that we were four times faster than usual in awarding those contracts and we identified only genuine offers of supply.

Also, we worked with significant network suppliers such as Vodafone and Capito to give support to organisations working in the third sector to target violence against women and girls, for example.

Therefore, we have been able to show progressive procurement in the IT world, and we have seen the benefit of doing so in the last six months.

How regularly do you review your IT procurement processes to ensure that they are up to date and reflect current IT practices? Based on the feedback that we got, it did not seem that that had happened. One of the participants said that information that was copied and pasted into a procurement tender was from five years ago. That does not seem to indicate very frequent updates.

10:00  

I agree with the view that we should, obviously, be continually reviewing, developing and improving our procurement processes to ensure that they are topical and relevant and are putting policy into practice. The Scottish public sector is broad and the buying community is extremely diverse, which means that, when we set and update policy at the centre, it takes a bit of time to get that out to all the people who might be undertaking ICT procurement.

Building on some of the best practice that I believe that the Scottish Government has established in ICT procurement, we have adopted agile methodology. For example, we have applied agile methodology to the Scottish Government payment platform, which we mentioned earlier. That programme is progressing well and has moved from the initiation phase, through the alpha phase and has reached the beta phase. To support that agile methodology, through the digital academy that has been established, we have been training a significant amount of individuals—nearly 2,000 people from, I think, 70 public organisations have gone through the academy’s agile methodology training.

From a procurement perspective, we have put in place a dynamic purchasing system, which is a step change from more traditional frameworks and is aimed at digital procurement and agile-type methodology. It enables us to move really quickly. A traditional framework might have had 10 monolithic single-service solution providers, locked in for perhaps three to four years, but the dynamic purchasing system is much more fluid. For example, the digital system has more than 400 suppliers, 70 per cent of which are small and medium-sized enterprises. We can award a contract in 10 days from a requirement being published, which means that we can respond quickly. That is the agile methodology approach.

Through the work that we do with CivTech—I assume that this committee is very much across that—we invite entrepreneurs, start-ups and so on to present technological solutions to challenges that we might have. We have one of those invitations running at the moment, on how we can better manage forestry and harvest trees. We hope that that will move to the accelerator stage in the new year.

We are establishing and putting in place some very innovative procurement methodologies. The Scottish procurement journey is internationally recognised. It is an online toolset that provides guidance and walks public sector buyers through every stage of the procurement process. Obviously, we periodically update that following new legislation and new policies but also following feedback and the development of new best practice. That toolset is regularly updated to keep buyers, wherever they might be across the Scottish public sector, up to date with the latest thinking and, therefore, prepared to buy into it.

I read some of the feedback and comments that you refer to, but that would absolutely not be what we would expect from procurement experts.

On top of what I have outlined, and to support all of that, we have implemented ICT procurement training, which involves giving specific training in ICT good practice to buyers, and we have built up a community of ICT buyers across the public sector. I think that around 300 people are already taking part in lesson learning and sharing.

Given the size and breadth of the public sector, and where the public buyers who are procuring ICT might be, there will always be cases of the sort that you are referring to. However, overall, we are going in the right direction and are ensuring that our procurement processes and methodologies are in line with best practice.

That was a very comprehensive answer. Mr Cook, unless there is anything else that you wish to add to that, I think that we should carry on with the questions. We have lots of questions to get through and I want to make sure that we get every member in.

I just want to quickly add something. Nick Ford talked about what we are doing with CivTech, which involves us supporting six companies to come up with potential solutions to a problem. That model, which my directorate pioneered in Scotland, has been replicated in countries across the world, and we now have a vibrant network of international Governments that work with us on those kinds of approaches. There is some real innovation in Scotland, and we can be proud of what we have done in terms of IT procurement.

In response to Colin Beattie’s questions, Sharon Fairweather talked quite rightly about the Government’s process when projects are highlighted. However, two gaps jump out. First, how do you find out that there is a problem in a project? Are you often reliant on the people who are involved with the project flagging up that there is a problem? What better system can be put in place so that we know when a project is in trouble and there is an opportunity for early intervention?

Secondly, we have been referring to major projects, but what about the ones that are not major projects but which still involve a significant amount of money? How are problems flagged up so that there is better oversight of projects that would not be termed as major projects but which still have a big cost to the public purse?

There are a number of ways in which problems with any project or programme that is being run by an organisation should be flagged up. Within organisations’ normal governance processes, there are risk registers and risk management processes, so there should be escalation processes for risk management. When issues relating to risk management arise within a team, they should be raised to a higher level and so on, depending on the size and scale of the issue, up to the highest level of governance. In any normal organisational governance process, there should be the route up through which any risks or issues that arise can be highlighted and flagged, so that the management of the organisation—

I am sorry to interrupt, but I want to press you on the question. I accept that the process exists, but that is not happening, because the same issues keep being flagged up to the committee. I would have much greater confidence in your answer if the problems had stopped happening, but they are still happening. Clearly, a framework exists, but how people operate is not consistent with that framework. What can be done to get the intervention that will make a difference?

The main thing that we can do is to continually push the lessons learned. Through Nick Ford’s team, we should continually push the capability of management of projects and programmes. We should continually push engagement with the organisations, so that they participate fully in the assurance processes and respond to issues. We have definitely seen more of an uptake, better responses to recommendations and more involvement in assurance throughout the processes and at an earlier stage.

We need to tackle the issue through different routes. We need to tackle it through the work that is going on across the Scottish Government to develop risk management in organisations. We need to tackle it through the work of Nick Ford’s team on developing programme and project capability. We need to tackle it through the assurance programmes. We also need to continually raise the lessons learned.

What about my point on the major projects versus the non-major projects?

All major projects are on the technology assurance framework anyway, so they all have to go through the assurance stages that are required for a major project. For non-major projects, we are more reliant on other forms of assurance or risk management to ensure that issues are being picked up and tracked. Again, that is about ensuring that there is good education about the tools and guidance that are available. It also relates to sponsorship arrangements and the other discussions that the Scottish Government will have with organisations that are taking forward projects that are small in the grand scheme of things but which are important to the organisations involved.

Colin Cook, for the benefit of the public, will you clarify, budget-wise, what you regard as a major project and what you regard as a non-major project?

Sharon Fairweather sets the framework conditions and can change those. At present, a major project is one with a lifetime value of more than £5 million or one that involves a significant reputational risk—sometimes, projects that are below that value might deal with a particularly sensitive issue. Those are the standards to which we operate, and they are set by Sharon Fairweather’s team.

Is the £5 million figure sensible? If you said to the public that a project worth £4.9 million—or, indeed, £1 million or £0.5 million—was not regarded as a major project, so it had lower oversight thresholds, I am sure that they would not think that that was acceptable.

Sharon Fairweather can comment on why we set the framework at that level, but it is also worth pointing out that there is a form of assurance for projects beneath the £5 million threshold. For example, any digital service development is subject to what we call our digital service standard. Assessments are carried out of the degree to which we are meeting that service standard. There are assurance processes for programmes with a value of less than £5 million. It is just that they are not the one that we have described and which we often talk about at this committee, which relates to major projects. All service developments are assured against that standard so that the public can have confidence that they are being developed in the right way, that we have the teams that are required to develop them and that we are looking at user needs and interpreting those needs correctly. There is another form of assurance for programmes beneath the £5 million threshold.

My questions are for Nick Cook. Mr Cook—

It is Colin Cook; you are mixing him up with Nick Ford.

I am sorry—my questions are for Nick Ford, not Colin Cook.

You have used some interesting phrases, such as “procurement journey”, “lesson learning” and “agile methodology”. None of those means anything unless we get actual change.

I want to go back to the focus group session that we had, which has already been touched on. There was a strong feeling that the terms and conditions are centrally driven. Very often, they are copy and pasted—you have mentioned that already. Therefore, they are not very agile. It was strongly felt that, as a result, small and medium-sized enterprises can be cut out of the process and are missing out.

Participants in the focus group session said that

“contractors are being told that if they do not meet all the requirements then they are ‘non-compliant’ and are excluded from the bidding process.”

I will give an example that was raised with us by one of the participants. They said that they were asked to name all the members of the team that would work on a contract months in advance of that contract. Before people had even been employed, they were asked to name the people who would be working on the team. That is virtually impossible for a smaller or medium-sized company to do.

What are you doing to be more agile and to ensure that terms and conditions are not centrally driven? How are you tackling the business of having to provide names of staff members in advance, which sounds absolutely ludicrous?

When I discussed the work that we do on the procurement journey, I was talking more about the procurement process. The direction of your questioning is more specifically about the terms and conditions, so I will talk about those.

It was in around the summer of 2018 that the Scottish Government released some new terms and conditions—a model set of ICT terms and conditions that had been developed with legal colleagues and procurement experts. That was a big step forward from historical terms and conditions, which were not specific to the ICT sector. The other positive was that, when we released those terms and conditions, although they were mandated for the Scottish Government, they were also available for public sector bodies to use. Obviously, as their own contracting authority, all public sector bodies can choose their own terms and conditions, so they do not have to use them, but they are there as a model set.

Alongside those, guidance to the buyer was published, so that buyers can look at the terms and conditions and understand how to adjust and amend them so that they are proportionate and appropriate for the specific procurement that is being undertaken. In an ICT context, typically, that will cover how to manage the purchase of licences in the Ts and Cs, and other areas such as copyright and intellectual property. The ability is there to deal with such matters in the terms and conditions.

It is fair to say that it would be good practice to review those terms and conditions periodically. The passing of two years from when the new set went live in the summer of 2018 would have given us enough traction to do a review. We did not manage to get to that this summer because of other activities, but I am pleased to say that we have now started that process. A working group has been formed with digital colleagues, the Scottish Government experts and legal staff to look at the current set of ICT terms and conditions and take on board the feedback that we have had on the procurements that have been run. Through that process and that exercise, which will take place over the coming months, we will also reach out to industry and organisations such as ScotlandIS to ensure that we take their feedback on board.

10:15  

Within the procurement and tendering process, there is an opportunity for suppliers to seek clarifications or raise areas of the terms and conditions that they want to discuss with procurement colleagues. They will submit that as part of the tendering process and the buyer will then have to consider whether the issues are material or whether they are okay to give those clarifications. If an issue is material, understandably, we cannot have a certain organisation having an unfair advantage compared with another. We have to run procurements on an open and—

Mr Ford, can I stop you there? I want to go back to the actual question, and I ask you to make the answer brief. It sounds as though you are agreeing that we have standard terms and conditions for projects across many policy areas and that you believe that something should be done about it. I accept that you are new to the role, but nothing has been done about it yet—is that the case?

They are not quite standard. We do not have a one-size-fits-all approach. As I explained, guidance is in place and the buyer can adjust the terms and conditions according to the specific procurement that is being undertaken. There is a model set of terms and conditions, but they can be tailored to specific requirements. I accept—

They are not being tailored, Mr Ford. That is the message that we have got. The people who are bidding for contracts are faced with a set of terms and conditions that are, to be frank, not relevant to those contracts. Surely, each contract should have its own individual terms and conditions. I accept that there might be some that are standard, but surely every contract should be different. Do you agree with that?

Not in the sense that we have all the boilerplate terms and conditions. It is important that public sector contracts are robust. That was recognised in the audit report on Police Scotland’s i6 programme, which noted that, although it was a failed programme, the good practice procurement and robust contract enabled settlement on termination. Having a good set of terms and conditions is really important for public sector procurement.

I did absolutely say that terms and conditions should be reviewed periodically to ensure that they maintain topicality, and we are embarking on that for the model set of ICT terms and conditions. We will always do that periodically. However, it is good practice for the buyer to adjust the terms and conditions, in line with the guidance, to make them specific for individual procurements. That is what we recommend and expect.

On the point that you raised about CVs, I do not know the specifics of the individual case or personnel, but, again, there should be specific consideration of what is relevant to the procurement. There will be programmes where it is important that the key personnel have specific capability, experience and skills in order to deliver the programme, so those things will be comparators and they should be tested through the procurement process. The procurement should consider who is being proposed, whether they are suitable and whether they will deliver the best outcomes for the programme.

That will be done case by case, depending on what is required. It will not be done for all ICT programmes, and I would not normally expect that we would ask for that in relation to all staff. It would only be in relation to what we would term key personnel that we may want to see copies of CVs or the experience of people who are proposed for, say, the lead team. Some of that will be appropriate at certain times, but it depends on the specifics of the procurement. The approach should be tailored in line with that.

You have revealed something that we did not know, which is that you are asking for people’s CVs. That sounds incredibly intrusive. Can you tell me what you mean by “reviewed periodically?” Is that once every two months, once every six months or once a year?

No. In the norms of procurement, terms and conditions go through how long a procurement takes. I would expect a periodic review, and I mentioned a cycle of about two years. The current model set went into place in the summer of 2018, so we would have been doing the review this summer but, obviously, we did not get to that and the committee will recognise why that is. However, we have now started that process, so the review will take place. Normally, I would look at a timescale of around two years, because we need sufficient procurements to have run through, and legislative and policy changes might not happen that frequently.

I will leave it there, convener.

Bill Bowman has a supplementary question.

My question is for Nick Ford. I recall the focus group, and it did not come across that there was flexibility to change any of the terms and conditions. Even if the public body and contractor said that they wanted a change, they could not get it changed.

One of the questions that I asked was, if people have a situation like that and need a quick, simple answer or ruling on whether the terms can be changed, is there somebody that they can go to who has the authority to say, “Yes, that does not apply,” or, “No, that must stick”?

Every procurement operates in its own right, and the authority on the procurement will be the buyer who is identified as the responsible person for that procurement, so the supplier has an opportunity to raise it through the procurement process. As I said, in the tender documentation there is a section where the supplier can import the areas of terms and conditions that it would like to clarify or discuss. The important bit is that it cannot materially lead to potential unfair advantage through the procurement process.

However, we got the impression that there was no flexibility and there was nobody to ask. I will leave it there.

I will pick up on that. Nick Ford, Colin Cook mentioned that you have recently joined the directorate. Do you mind saying how long it has been?

I joined in July.

That is relatively new, so it would be unfair for us to question you about what was happening before July. It is safe to say that many of the issues that we are discussing, as well as many of the frustrations that were expressed by those who took part in our focus group work, happened before July. It is important to make that distinction.

I welcome what you are saying, but I wonder whether you, Colin Cook or Sharon Fairweather recognise the concerns that were raised in the report that we put together following that focus group work and the points that Graham Simpson and Bill Bowman were making around the details of that work and how often it is updated. They were not making an issue about the terms and conditions; it was more about the build spec not being updated to meet the times. Do you recognise those concerns? Will work be undertaken to address them? Mr Ford, you are relatively new in post, but are you indicating that you intend to do that?

As I said, good practice is to review the documentation and processes, so I expect my directorate to do that.

Colin Cook, do you recognise the issues that were raised by the focus group and Mr Simpson?

We are aware that those issues have occurred. That is one of the reasons why we established the digital commercial service with Nick Ford’s—or his predecessor’s—directorate. I know of examples where terms and conditions have changed around things such as liability clauses in order to get particular suppliers. Those processes happen. We continue to innovate and we will work with the market to make sure that our terms and conditions are appropriate for getting the best people on board.

The issue of CVs, which Nick Ford dealt with, has come up because of new, agile ways of working that have favoured co-location. When we favour co-location and are looking for skills transfer, the need to have the right quality of staff becomes a big issue. That is why getting greater details of who a particular supplier was proposing to put into our teams became an issue and why it appears in the terms and conditions of some contracts.

There is a long history of IT failures across the UK, including UK Government projects. In investigating the issue last night, the furthest back that I could go was a 2003 national health service project called connecting for health, which went from £2.3 billion to £12.4 billion and was supposed to take three years but ended up taking 10 years.

The Auditor General’s report about what happens in Scotland points out common themes: a lack of planning, poor communication, a lack of IT skills, large cost overruns and long delays in implementation. IT problems have existed for the best part of 30 years, and we constantly see the same mistakes being repeated over and over again, so how do you ensure that lessons are being learned?

To give a more recent example, I had a look at the Infrastructure and Projects Authority’s annual report for 2018-19. Again, that is for south of the border, but it said that 17 per cent of projects in the UK Government’s major portfolio had seen their delivery confidence assessment worsen in that year and that a large number of projects had gone into the red in the traffic light system that the authority uses. To go back to the five common themes, how do we go about ensuring that those themes are not constantly repeated, whether that is in Scotland, England or elsewhere? It seems that lessons are not being learned.

We are very conscious of those criticisms. As you say, they go back many years, and we have had a lot of internal work looking at the lessons that we can learn. We have had fantastic and helpful reports on specific projects and more generally from Audit Scotland.

The answer is as complicated as the causes of the problems are. Part of the issue has been procurement. We have discussed many of the changes that we have made to our procurement processes. For example, we now carry out market engagement so that we have a better understanding of projects before we go into the formal procurement phase. Part of it is about having a robust process of audit and assurance, which Sharon Fairweather has described and which I think has made a real difference in Scotland. Part of it is about the training and development of IT, procurement and commercial staff to ensure that we have the right skills in place. Part of it is just a cultural thing about sharing lessons, working across the public sector and exchanging information with our colleagues. Again, we have the processes in place to do that.

No organisation will be completely immune to difficulties with particular projects, and that applies in the private sector as well as in the public sector. However, we have set out to address the issue and to mitigate the risks through the way in which we develop our staff, run our programmes and learn and exchange information and lessons.

How confident are you that those lessons are being learned? The committee held a focus group with IT contractors at which it was said that, although lessons learned are documented, they are not always applied moving forward and that it was like “going around in circles”. What would you say to that comment?

It is difficult for me to comment on that, because I am not aware of the specific criticism that was made, who made it or which contracts they were referring to. However, I know that we do not just document lessons; we learn them. I also know that we train our staff and build their digital, data and commercial capabilities so that we have the right people on board. As I set out at the beginning, I am the senior responsible officer for a number of programmes that are subject to the assurance that Sharon Fairweather’s team provides, and I know that those assurance teams look hard at the composition of the teams that we have in place and the leadership of those projects and are not shy about commenting on that if they think that improvements need to be made. I also know that we exchange information and knowledge with our colleagues across the public sector.

Therefore, lessons are being learned, changes have been made and approaches are getting better. It is a process of continuous improvement, and that will continue to be the case. If there is a specific issue that can be shared with us, I am more than happy to look at that and take it up with the SRO concerned.

10:30  

You touched earlier on the issue of real innovation in procurement. Could you give us a few examples of that?

We have already mentioned what is perhaps the best example of that, which is our CivTech organisation. That is specifically designed to get entrepreneurial and small business talent to address public sector challenges. We start with an initial sift through which we identify and interview six potential organisations to deal with a particular challenge. We then take three of those through to the next stage—it is called the exploration stage—at which they receive £5,000 from us to do three weeks’ work to refine and develop their proposal. We then select one of those companies to go through to the accelerator stage, at which point we offer them a £25,000 contract and work with them over 12 to 14 weeks to develop a minimum viable product. If that MVP is successful, we go into the pre-commercial stage and a contract is placed for the development of the solution, which is typically up to about £210,000.

That is an extremely innovative process that allows much better control of risk. We did some analysis of all the bids that have worked through in that way and, interestingly, found that only 36 per cent of the companies that actually got the final contract were the ones that were ranked highest in the initial paper stage. That shows how, by working in an innovative way, we can develop a solution that is more appropriate for the problem involved. We are now considering and taking legal advice on how to extend that three-to-one procurement approach to bigger contracts to see whether we can make greater use of it. That is another example of how we are innovating.

In the digital commercial service, we are looking at opportunities for things such as concession contracts. Where the public sector in Scotland has paid for the development of, or has co-produced, a solution, there might be opportunities to take that product commercially across the world to other countries with similar problems. We could get financial returns to the Scottish Government if a company goes out and sells the product on our behalf.

Such examples are always under consideration, and we are very proud of what we do in the procurement space.

At the committee’s focus group session, we heard from the participants that it is critical that the person managing a project for an organisation or buyer, rather than having IT skills or knowledge, understands the organisation’s business and what the IT system is required to deliver. The participants’ experience was that the best people are often not released to work with contractors on such projects and that, instead, projects tend to be led by a temporary IT contractor who does not know the business of the public body. What advice do you give to public bodies about who should lead projects on their behalf? Do you advise that it should be someone suitably senior, with good knowledge of the body’s business?

Yes, we would advise that there should be senior-level responsibility for significant projects. We give advice on and assure against the make-up of teams and the skills that are brought to bear in programmes. It is critical to the operating model that I am working to in Government that we are accountable for the delivery of the programmes that we deliver and therefore we need a strong and, where possible—or as a preference—internal project and programme management abilities.

There are examples of where we have used temporary or contract staff to run projects and programmes that require a particular expertise that we do not have in the organisation, but, as the norm, we would wish to run a major project with internal staff.

I do not think that we are talking about particular expertise; it is more about whether someone understands the business. Do you recognise that comment?

Let us say that a mission-critical project was coming up. Who should be the management representative to lead that?

There will be a senior responsible officer, who will almost certainly be from the Scottish Government. A programme director might well be brought in from outside. A good example is the project to redevelop the Scottish Government’s shared services. The first stage of that is a replacement for our enterprise resource planning system, which is our core finance and human resources system. We have brought in an external expert to help us develop that programme in its early stages and deliver it. We wanted to make sure that we have someone in that leadership role who has experience of ERP replacement and shared services. There is a very clear reporting relationship between that individual and the senior responsible officer for the programme, who in this case is the director of transformation, Ainslie McLaughlin, and the director general of organisational development and operations. That combination is appropriate for that kind of significant project.

The focus group people said that, in the public bodies that they dealt with, the person who led the project was not the chief officer. It was somebody from IT, or somebody whom IT had brought in, who would not necessarily understand what was wanted as an output of the project.

If there are specific cases where that has happened, we will look into them. It is absolutely critical—the assurance process certainly looks at this, as does the digital service standard for smaller projects, which I described earlier—that we have a skilled multidisciplinary team. Those skills include having a clear understanding of the business logic and business needs, a lot of knowledge of users and their needs, and the technical knowledge required to deliver that project effectively.

The issue is about putting together teams that are appropriate for the procurement. I would happily look at any instance where it is felt that we have fallen short of that. The norm would be to have that combination of skills.

We should not have to bring you examples. The point is that you should be ensuring that that happens.

I will move on. As you probably know, the Auditor General’s reports have commented on the absence of IT skills in public bodies. The permanent secretary’s letter to the committee in April 2019 set out steps that the Scottish Government was taking to address issues around the recruitment and retention of high-quality IT staff, and Paul Johnston provided a further update in July this year.

The initiatives include the data, digital and technology profession, the digital academy and digital fellowships. What are the expected outcomes of those initiatives, and how will you measure success? Presumably, your outcomes are not just the numbers of participants in the programmes, but their actual impact on future IT projects.

Absolutely. The purpose of all training, recruitment and development is to improve our performance. As I said, we have a continuous improvement culture and the training and recruitment of staff are part of that. I will try to highlight some of what we do.

The Scottish digital academy is designed to ensure that we have a coherent programme of training and development to grow in-house capability. That is about building effective services and meeting users’ needs. I know that numbers are not everything, as you said, but in the academy we have trained nearly 2,500 civil and public servants from almost 100 organisations. We are continuing to pilot and develop new courses.

How will you know that you have had an impact on future projects?

That is the purpose of training and development and of recruiting the staff, as I said. It is about improving our performance—

I understand that. You can put people through training, but how do you measure their impact in the future?

We will measure the outcomes of the programmes on which they work. On an outcomes basis and on an individual basis, we will continue to work with them on their skills through continuous professional development, particularly if they are members of the digital, data and technology profession.

The evaluation is in two forms. First, it is about whether the person has the skills for the job and whether they are improving and developing as an individual. Secondly, it is about whether our programmes become more efficient, whether we get better outcomes and whether we develop things more quickly. There is a complex causal relationship, but we look at both.

You can perhaps tell me how a suggestion from one of the participants of our focus group aligns with what you are doing. They said that, during the recent lockdown period, their staff had attended four to six-week bootcamps to undertake certified training in new areas based on client demand. That enabled staff to update, enhance and broaden their skills. It was suggested that a similar approach could be of benefit to public sector staff, as it would enable organisations to have the appropriate resource, skills and understanding of a project before entering into a contract. Is the Scottish Government taking, or considering taking, such an approach?

We always consider ways of improving the offer from the academy. We have made the point that a lot of IT staff have been accelerating their work over the past six months. The academy has new courses on artificial intelligence, on driving value from data and on programming fundamentals with Python, which is a partnership with CodeClan, the very respected external training body. With it, we are also doing introductions to HTML, for example, and we are working with the QA cloud academy on cloud fundamentals. All those programmes are being developed and are available. We encourage our staff to go through that training as part of their professional development.

The people who are in charge of the academy engage with other academies and with other approaches to training in the private and public sectors. If there are good examples, we look at them and see whether there are lessons for us.

You say that you encourage staff. From my previous experience outside the Parliament, I know that there is training and then there is your job. Often, your job took precedence because you were busy and short of resources—that might ring a bell with you. However, the organisation’s point was that people must do the training. How do you handle that, because you do not necessarily employ the people who might need the training?

There is always a balance between doing the job and training. Through the way in which we set objectives and run teams, we encourage our staff to create time within their working week and working year for professional development. Part of our deal with members of the digital, data and technology profession is that they undertake continuous professional development. We also support that informally through the development of professional networks that allow people to share their ideas and experiences. The digital, data and technology profession has a head of profession, Dave Watson, who is a chief operating officer. His overall accountability involves ensuring that people in the profession get the support and training opportunities that they require.

Within the civil service, there is a very well-mapped-out and tried-and-tested route for having career development conversations with staff and ensuring that people take up opportunities. We try to promote that. We have heads of community who champion talent and development across all parts of the organisation. We work with organisations such as the British Computer Society to check that development is up to standard, and we will continue to do so. Skilling for the jobs that we have is part of our approach and the assurance that we bring to committees such as this one.

I see that there is a supplementary question from Alex Neil, who joins us remotely.

10:45  

I just want to build on the points raised by Bill Bowman. My questions are directed particularly at Colin Cook and Nick Ford. I think that it is well documented now—indeed, another report on it was out this week—that in Scotland, we have quite a substantial shortfall in the number of people who are IT specialists compared to the demand for their services. Indeed, the gap between the demand for those qualified people and their availability is, if anything, getting worse rather than better.

I have two questions. First, what impact does that gap have on your IT strategy and the provision of services to your clients within Government? Secondly, what do you think needs to be done that is not already being done? I know that a lot is already being done, but what needs to be done to try to close the gap?

We have seen during particular crises, such as the farm payment crisis, that the dire shortage of IT specialists was one of the major factors behind why we took longer than would have been the case otherwise to get IT systems sorted. It is quite a crucial factor. How big a problem is it for you and what do we need to do to sort it?

Who wants to answer that? Colin Cook?

Sorry—I was struggling to flag up that I wanted to come in. First, I agree with that analysis. There is a shortage of high-quality digital and IT talent in all sectors of the economy in Scotland and there have been some really significant developments over the years to address that shortage, such as the launch of CodeClan, which was an industry-led skills academy.

It is one of the issues that Mark Logan identified in his recent report about what more we can do in Scotland to create innovative, scalable businesses, and it will be one of the issues that we address within the upcoming new digital strategy. The action that is required starts in schools; it starts with how we teach mathematics and the role of computer science within our school curriculum. It also involves the availability of high-quality university placements and the role of our further education colleges, which have a huge and significant role to play and have done over the years.

It is a whole-system effort and we have seen some very innovative things coming through, such as graduate digital apprenticeships and modern apprenticeships. It is a problem for my team as much as it is for any other part of the economy. We have done a number of things—they were quoted earlier. We take in CodeClan graduates and we encourage student placements and professional internships. We have a programme of modern apprenticeships and graduate-level apprenticeships and we use fast-stream placements from the civil service as well, with a digital element to their recruitment. We are constantly trying to address the issue.

If you ally that recruitment of both permanent and temporary staff with the kind of training programmes that we talked about earlier, you will see that we are taking a comprehensive approach to try to deal with the issue, but it is a constant battle for all organisations to get the quality of staff that we need.

As we come out of the pandemic, with the proliferation of digital business models, there will clearly be even greater competition for the high-quality staff that we all need across the economy.

I hear about all the good things that are happening—that is all well and good and absolutely essential. However, what needs to be done in addition to that? Specifically, we know from the profile of unemployment caused by the pandemic that a lot of it is—and will be—heavily concentrated among younger people, so is there not a window of opportunity for us to try to recruit those young people, get them trained in IT specialisms and give them a bright future?

We are working in a highly competitive, international market, but there is an opportunity. Do we not need more dynamism, innovation, flexibility and nimbleness on the feet to seize the opportunity of all those young people who are desperate for training and a job? Not all of them will want to go into IT or be the right people to do so, but a fair proportion will be. Do we not need some action, on top of everything else that is happening, to exploit that opportunity?

We are taking action; we will continue to do so and we want to be fleet of foot. We have launched a graduate apprenticeship degree programme with specific digital programmes in cybersecurity, IT management and software development; we have appointed 16 CodeClan graduates into Scottish Government since 2019-20; we are supporting modern apprenticeships; and we have supported five student placements in IT operations, data engineering and cybersecurity. Yes, we will work hard to take that action. We are conscious of the economic circumstances in which we operate and of the increasing need for and interest in the digitisation of the public sector. We will find ways, and I hope that, as it intends to, the new digital strategy will include comments on that, to make sure that we give people the opportunities to come into the public sector and develop an IT career with us.

When is the digital strategy due to be completed?

It is an update to the strategy that was published in 2017, and it is a joint exercise between the Scottish Government and local government. The consultation period closes on 21 December and I expect it to be published in mid-February or March.

That is fine, but we will have a major tsunami of unemployment as a result of Covid and we already see signs of that. In the meantime, pending the strategy, can we not take innovative action to match supply and demand more? We do not want those young people to disappear down south or elsewhere, which would mean that we lose that potential pool of talent.

My team will certainly do so from a digital point of view and my colleagues in the economy, work and employment directorates are looking at opportunities to do that. Some programmes have been announced—[Inaudible.]—and I am sure that there will be more. I know that Scottish ministers across portfolios are focused on using that opportunity, as you put it, to develop those skills and give people a future in the IT world, because many jobs will have that component. I talk a lot to our universities and further education colleges, so I know that they are also stepping up their response to give people the skills that they will need.

Good.

I have a final question. What is the staff turnover rate in IT specialisms in the Scottish Government? I know that you probably do not have the figure to hand and that there might not be a universal figure across all departments, but is it in the order of 5, 10 or 20 per cent?

I do not have the figure in front of me, for which I apologise, but it is nothing like 20 per cent and it is not outwith other standards across the civil service. As was mentioned earlier, about 6 or 7 per cent of our current staff are on temporary contracts, and the figure is usually around that level. We have made efforts during the past few years with the training that we deliver and with the introduction of pay supplements for specific digital data and technology roles to try to reduce our staff turnover and attract the best talent into the organisation.

I can come back to you with a turnover figure but, as you have suggested, it varies by sub-profession.

It would be interesting to see the figures, so I ask that you supply those, please.

My final final question is to Nick Ford. Presumably the cost of procuring IT services is highly inflationary, because of the shortage in skills. Can you give an overview of the impact of buying in such services?

I do not have the figures to hand, but it is fair to say that it is a fairly competitive market. If I take the example of devices such as mobiles and laptops, we get extremely competitive rates through Scottish Government procurement. Obviously, as we have seen, the demand for such products has increased because of Covid, but because of the scale of the purchase and how we buy products at a national contracting level, we can maximise the effect of procurement.

We continue to get competitive rates. On the capability side, that is a bit difficult, and we will have to see how that progresses during the coming periods.

I want to ask about the directorate for learning’s national standardised assessments reprocurement. There is a requirement to procure a replacement provider for the delivery of the assessments. The May update states that the project has

“been delayed by COVID-19 and a recognition of the impact of lockdown on market capacity.”

What are the reasons for the replacement provider being required? What additional costs will arise? What is the latest information on the project? Is it back on track?

I apologise—I did not catch the name of the project that was mentioned.

I am asking about the national standardised assessments reprocurement.

I am afraid that I have no knowledge of that project.

Sharon Fairweather has indicated that she wants to come in—perhaps she has knowledge of it.

I can let you know that, following a recent assurance of the action plan in place for an earlier follow-up to a pre-procurement gate, we have recently given approval through the digital assurance office for the project to move into the procurement phase, and that is happening. That includes the Gaelic national standards assessments. The aim is to transition to a new provider, which will take about 12 months or so.

I do not know whether Nick Ford has any information on the procurement side of things. He may not have that to hand.

I do not, unfortunately. All that I can say is that that is on the list of future planned procurement, so it is certainly allocated in my directorate and officials are, of course, progressing it. I would have to come back to about a specific date.

I would welcome further information in response to my questions, including on the reasons behind the need for a replacement provider and on the additional related costs. I appreciate that you cannot provide that information now, but it would be helpful if we could have it.

Do you have any more questions, Mr Bibby?

No, not on that issue, thank you, convener.

Do any other members have any questions?

I want to ask about Police Scotland’s national network project. Does anyone have any knowledge of that? It was due to be completed in March, but the May update reported that it was delayed due to Covid-19. It said:

“Implementation is over 80% complete”.

The November update states that the project has an end date of November. That has been and gone. Has the project been completed?

Can I just check that you are asking about the national network project?

Yes—for Police Scotland.

11:00  

We undertook a delivery gate in February 2020, which gave a green delivery confidence assessment. Our understanding is that that project is now under closure—in other words, it is moving into the live stage.

I do not have any further information available at the moment. We can certainly get back to the committee on that.

That would be useful—thank you.

I have a final question about the unwillingness of some public bodies to halt IT projects when it is clear that they have gone wrong. Participants in the focus group session felt that there was a hesitancy on the part of public sector bodies to admit that there were issues, possibly because of the oversight and the work that could follow from that. Is there a way to strengthen the technical assurance that the stop-go system provides from the outset, so that we can identify problems much earlier? Is that being looked at?

I wondered whether it would be helpful for me to give you some stats. Stop-go is the last stage that we would go to in a project or programme. If we look at the outcomes of our major project reviews, we can see that 28 of the 98 projects of which we have undertaken reviews since the framework was put in place proceeded immediately to the next stage without any other work being undertaken; 37 of them proceeded to the next stage with conditions—we follow up on those conditions, so we are comfortable that they were then met; a number of programmes were not allowed to proceed to the next stage until remedial action was taken but progressed once that remedial action had been taken; some remained at their existing stage so that further work could be undertaken; and some remained at their existing stage with conditions that required to be met. So, within the whole process—

I am sorry to interrupt, but you said that you were going to give us stats and “some” is not a stat. Could you provide numbers? You started off by giving numbers, but then the numbers changed to “some”.

I am sorry. Twenty-eight projects proceeded to the next stage; 37 proceeded to the next stage with conditions—we always follow up to ensure that those conditions are met; nine did not proceed to the next stage until remedial action had been undertaken—again, we follow up on that; two projects were closed; 12 continued at their existing stage because there was further work that needed to be done; four continued at the same stage with conditions that needed to be met; and there were six projects to which those categorisations did not apply.

Did you say that those were all major projects?

Yes.

What about the non-major projects that get into trouble?

Colin Cook referred to the digital first service assessments that we do of other projects. Of the 94 projects of which we have undertaken such assessments to date, 31 proceeded to the next stage; 29 proceeded to the next stage with conditions; 16 proceeded after remedial action was taken; five remained at their existing stage so that further work could be done; six remained at their existing stage with conditions; and there were seven where the assessments were such that the other categorisations did not apply.

What I am trying to say is that the fact that the organisations concerned go through such assurance processes at each stage of their projects and programmes means that they are taking action as they go to ensure that they put in place the right things that are needed at those points in time to ensure that the next stage of their project or programme will be successful. We cannot guarantee success, but that demonstrates that organisations are participating in the assessment processes and are responding to the recommendations that are made as a result.

Thank you. Does Nick Ford or Colin Cook have any final comments?

I add that some of that relates to what I said at the outset about leadership and culture, and ensuring that, through our training and development of SROs, we do not end up with optimism bias and the wearing of rose-tinted spectacles but instead raise red flags once problems are experienced on projects, escalate matters, bring in the experts to discuss and review the situation and, as part of that process, work with the suppliers to understand the problems.

Historically on such projects, we have typically thought that the situation will get better, instead of bringing in all that capability to look at it. There is a leadership and culture element involved in ensuring that we properly assess what the current state is and do not just expect things to get better. That is an area that we address directly with the training and contract management modules that we have developed for SROs.

Thank you, Mr Ford. I am hoping that that leadership and culture change will be on the way following your arrival in July and that fewer problems with IT projects will come to the committee for consideration in future.

With that, I thank Colin Cook, Nick Ford and Sharon Fairweather for their evidence and close the public part of the meeting.

11:06 Meeting continued in private until 11:29.