Agenda item 2 is consideration of the oversight and governance arrangements for major information and communications technology projects in Scotland, which is an issue that the committee has taken an interest in for a number of years. We will take evidence on that from a number of Scottish Government representatives: Sharon Fairweather, director of internal audit and assurance; Geoff Huggins, director of digital; Jonathan Ruff, head of digital strategy and policy; and Donald McGillivray, director of safer communities.
We will go straight to questions, and I will begin by asking about a matter that is preying on many of our minds. The National Cyber Security Centre has issued organisations with guidance on what to do, given the heightened state of alert around cyberattacks. Can one of you tell us whether the Scottish Government has been holding discussions with public sector bodies about the heightened risk in light of the Russian invasion of Ukraine?
I think that that is a question for me, convener.
The short answer is yes. We are aware of a heightened risk on the back of the Ukraine invasion. Russia as a state actor and some non-state actors are particular threats in the cyberworld.
As you have said, the National Cyber Security Centre has indicated a heightened state of awareness, and we have been very active in pushing that out and amplifying it to public bodies in Scotland. Our national cybersecurity partnership meets regularly and we have a monthly bulletin, but we have also put out specific communications to all public bodies to make them aware of the heightened threat at present.
There is no specific threat to Scotland or the Scottish public sector at the moment. It is very much a case of having heightened awareness, making people aware and being extra vigilant, but I stress that there is no specific threat to Scotland at the moment.
Has the state of alert been increased in light of the events that have unfolded over the past few weeks?
Yes, very much so. We have an established network of cybersecurity professionals across the Scottish public sector and, as I have said, we have been very active through the network, have drawn the sector’s attention to the NCSC alert and guidance and have reinforced some of our core messaging on cyberresilience, standards, tools and such things. That is the space that we have been in over the past two weeks.
For the sake of completeness, have there been any cyberattacks by Russian sources over the past six weeks?
A couple of cyberincidents have been reported to us over the past six weeks. One was in the public domain: it involved the Scottish Association for Mental Health, which suffered a very serious cyberattack a couple of weeks ago.
There is none that I am aware of that we have traced or linked in any way to the Ukraine conflict or specifically to a Russian threat linked to Ukraine. Incidents happen from time to time, but I am not aware that the recent incidents over the past few weeks have had any specific link to the Ukraine situation.
But clearly you remain vigilant.
Yes.
Right. Thank you.
Can I come in on that question, convener?
Yes, Mr Huggins—please do.
With regard to what we in the Scottish Government are doing with the technology for which we are responsible, we have been working with the NCSC through the checklist of additional measures that it recommends. That checklist is evolving. In addition, my team meets weekly with other public bodies to share information. We have also been running a cyber table-top exercise for the past four or five weeks to get a better understanding of how we would respond in that context.
We have seen some additional activity that might not be directly linked to Ukraine or Russia, but it might be in the context of that situation. Malicious organisations are able to operate under the cover and in the shadow of that in a way that they might not otherwise have done, so we continue to be vigilant.
We have also increased the risk level in respect of the likelihood on our risk register. We have had conversations with our executive team, and we have briefed ministers and kept them involved in what is going on. We are doing what each public body across Scotland will be doing.
Thank you. We might return to those themes later in the session.
I call Sharon Dowey, who joins us on videolink this morning.
Good morning. Audit Scotland’s 2019 report “Enabling digital government” noted that the governance and management structures for overseeing the 2017 digital strategy were “confusing” and that the roles and remits should be kept under review and “clearly articulated”. Can you tell us about the governance and management structures for overseeing the delivery of the Scottish Government and the Convention of Scottish Local Authorities digital strategy that was published in March 2021?
I am happy to pick that up. Following the publication of the strategy last year, we worked with COSLA over the summer and into the autumn to put in place appropriate overarching governance arrangements for it. As a result, there is now a joint ministerial oversight group, which will meet four times a year to focus on the delivery of the commitments in the strategy and on benefits realisation. It met for the first time at the beginning of March, with an agenda that was focused on the reporting arrangements in respect of the different commitments, and the intention is that it will meet again in the summer and then in the autumn. We will refine that approach as we work through the process of identifying those people who are accountable for particular commitments and looking to the wider benefits that we seek to deliver.
Quite often, you can do all the things that you said that you were going to do, but you do not get the benefit that you said that you were going to achieve. We are, therefore, thinking beyond simply the particular deliverables, and we are using that approach for both the internal management of the strategy and the external public reporting on what is actually being achieved under it.
In addition, we in the Scottish Government did a piece of work over the autumn on what we might describe as the connective tissue—in other words, how we deliver digital functions across a complex organisation in a way that gives us assurance and confidence about what we are doing. As part of that, we will be reforming and changing what was previously the central Government digital transformation board to create a digital board that brings together senior directors in the Scottish Government, along with representatives of the non-departmental public bodies and the delivery agencies. The intention is that the board will be the staging post for the material that goes to the group involving ministers and COSLA with regard to confidence about delivery.
However, the new board will also look at horizontal issues—that is, the things that we need to do across Government with regard to many commitments and projects around the general data protection regulation, assurance and capability and the other areas that are key ingredients in the successful delivery of a programme of work. We anticipate that the board will meet in its new format for the first time in June.
We have taken the 2019 report quite seriously; indeed, it was a key document for our internal review of how we operate. It is helpful that you mentioned that the strategy is a joint one—indeed, it is the first such digital strategy. We are aware that the Digital Office for Scottish Local Government, COSLA and the Society of Local Authority Chief Executives and Senior Managers—SOLACE—have also been working on their commitments under the strategy to identify appropriate governance and co-ordination across the 32 councils, but it is not really for me to comment on that.
I am sorry, but did you say that there are two groups? You said that one met for the first time in March—which I take to be March 2022—and another group is due to meet for the first time in June 2022. Are there two different groups considering the matter?
There is the ministerial and COSLA group, which is chaired by Councillor Macgregor and Kate Forbes, the Cabinet Secretary for Finance and the Economy, and then there is an official-level group, which produces the material that flows into the ministerial group. That official-level group replaces a previous group, which was a bit more amorphous in its functions and responsibilities and perhaps led to the 2019 Audit Scotland report. The official-level group has a clearer and more direct remit with responsibility for co-ordination and securing delivery of the strategy.
So you are happy that you are taking on board all the comments from the 2019 report.
They were on point and helpful. Our objective is to deliver good-quality public services and value for money, and things that enable us to do so are good news.
Moving on to questions on governance, assurance and oversight of major ICT projects, I call Willie Coffey, who also joins us by videolink.
Good morning, panel. I want to ask a couple of questions on progress with the technical assurance framework.
The witnesses are bound to recall the factors and key reasons for ICT projects failing in the past: project planning, the lack of application of quality-management processes and skills identification. Indeed, skills problems and the skills mix have always been problems. The committee felt that there were a number of issues that, over the years, have led to projects running over time and over budget. The i6 project, for example, was particularly bad in that respect. We saw how things tended to be rushed from the start, how projects were poorly defined and how too many changes were made along the way, all of which led to overruns. As I recall, the i6 project itself was abandoned altogether.
I wonder whether Geoff Huggins and Donny McGillivray can give us an overview of where we are now with all those issues. Have we captured the problems? Are the processes that we embraced and the various other frameworks in place and working towards successful delivery?
That is quite a big question. I will pick off some elements and then invite Sharon Fairweather to talk about the assurance process that has been put in place and how it has changed.
Going over the reports from the committee and from Audit Scotland, we can see that, over the years, a number of things have not gone the way that we might have expected, and the items that you have identified such as poor planning, unrealistic expectations about time and the absence of capability are all elements with which we are now familiar. In the work that we are doing across the Scottish Government and public bodies more widely, we are focused on addressing a number of those areas. For example, we are looking at capability and the availability of digital skills and digital professionals in the delivery pipeline and are doing a number of things to increase that resource and strength. We are also helping colleagues who might not be digital colleagues understand where those professional skills fit in, just as we use accountants, lawyers, economists and statisticians for their particular skills. Growing that capability across Government and then using it wisely are key components of our work.
09:15With regard to forecasting and finance, it is generally much easier to look back at the end of a programme and understand how it ran than to know at the start how it is going to run. One of the challenges that we face is that although we could invest a lot more time and money up front in trying to work through every scenario and plan for every eventuality, that raises the question of proportionality. By trying to close off all risks, we might end up spending more money and taking longer to do something.
We apply good planning through the business case model, using the finance manual and the learning from previous programmes, but we are also building in contingency in the expectation that things will not run exactly as we predict and on the understanding that there might be challenges with partner bodies or what we might describe as gotchas along the way, where something appears and surprises us in the delivery of the programme. In areas where there is perhaps less uncertainty, we are building in the expectation that time and budgets might move.
We are applying the idea of contingency and addressing overconfidence in a careful and sensible way. There are things in any project that we know the cost of and know will take a certain length of time, but there will be other elements that we will only really know more about once we get into the process. There is also a strong emphasis on design and working with end users of products, but we can do that work only during the delivery process—we cannot do it ahead of that.
In each of those areas, we are building on the learning. Members can be assured that we pay a lot of attention to the reports from both this committee and Audit Scotland. They keep people like me awake at night with regard to the individual programmes and projects for which we are responsible, and with the concern that we might not know all that we need to know. The iterative process of learning from previous successes and failures is important.
Another point that I would make is that we do relatively few different things through technology. We pay people, record information, make assessments, share information and notify and inform people, but we tailor the technology to particular services, whether in social security, education or justice. The key element is that we need, increasingly, to standardise the processes and technologies that we use to do those different things. Covid showed us, through, for example, the Covid status application, that we could move very quickly using a series of off-the-shelf components that we already had. The challenge then became one of assembling those components, and testing and user testing to deliver them in practice.
Such an approach meant that we could quickly have confidence in the robustness of the technology, and we could take the project from a request to delivery in three to four months without an extensive business planning process and 16 gateway reviews. That approach of being smarter about how we use existing technology and infrastructure will be key to the next five years of public sector technology.
Sharon Fairweather might want to say a bit about the assurance process.
The technology assurance framework has become well established. We now have more than 500 projects on our register, so our process of going out to the public bodies every six months for information is now well practised, and the bodies are now much more forthcoming with information at an early stage around projects that they are considering. That gives us an opportunity to get in much earlier to help support them as they develop their plans for projects, which is a good thing.
Looking at the statistics for the past five years with regard to the reviews that we have undertaken both for major projects and around the digital service Scotland standard, we find that maybe only about 30 per cent of those have given a clean bill of health, allowing a project to proceed to the next stage without requiring any remedial action. That demonstrates that we are getting in at a much earlier stage to help keep projects and programmes on track and ensure that they do what they need to do before they proceed to the next stage. That is a very good sign that this sort of thing is now happening and that the assurance framework is well embedded.
We must take a risk-based approach to assurance, because we do not have the resources to carry out the assurance process on every project that is undertaken. We will not catch everything all the time; issues will still arise for a whole variety of reasons. However, we are getting in early and picking up more things at an earlier stage.
I should also say that we continuously update our review processes. For example, we recently updated our major reviews process, working with our procurement, cyber, digital and finance colleagues. We continuously pick up the lessons that we are learning as we do the work and feed all that back into our review processes.
Thank you. Willie Coffey does have further questions, but for technical reasons, he has had to switch to audio only.
That would have to happen during a discussion about ICT, wouldn’t it, convener? [Laughter.]
Absolutely.
I heard clearly and really appreciated those good, lengthy and detailed answers. I will not pick out individual projects—I think that Craig Hoy might refer to a few key ones later on—but going back to Geoff Huggins’s comments on the benefits of good design, I would suggest that, if you have good design and a clear specification for a piece of software, you are in with a good chance of delivering on time and on budget. Is that not the case? Are you able to assure the committee that we are in a good place with the range of projects that are being worked on—a figure of more than 500 was mentioned—and that we know that the design, specifications and skills mix are good enough to deliver those projects on time and on budget? In short, are all the projects that are on our books well defined and capable of being delivered on time and on budget?
That is quite a broad question. I will begin by saying that I have not reviewed 500 projects, so I can speak only to those that I have seen and have direct knowledge of.
Let me reflect on some of the challenges that we see with individual projects. First, there is the challenge of changing requirements. As time moves on, people think differently about the objective that they are looking to secure, and good programme management is required to understand the degree to which it is reasonable to make those adjustments or whether you need to hold to the original requirements.
The committee has previously reflected on this, but we also face a challenge with regard to skills and capabilities. We are doing good work to address that, and I hope that we will get to talk about that issue at some point during this evidence session.
Over the past three or four years, the design process has been growing across the public sector and, as part of that, we are moving from the idea of undertaking technology or ICT projects to the idea of using digital as one of the tools for reforming public services. We often talk about the technology component of a public service reform as the place where much of the challenge resides; ultimately, however, digital is a means of serving the public better, so it needs to be woven into changes to how our workforce functions, including how we interact with the public and what their expectations are. As a result, I am cautious of overly attributing the change process purely to ICT or the digital component of that process. In the areas of reform that we are looking at, such as education, there are changes to organisations, the legal framework and the expectations of the delivery mechanisms, and there are also changing cultural expectations. The digital component is just one element of all that.
We are probably in a better state than we were two or three years ago, but it is an area in which we must continue to make improvements. I am not content just to say that everything is fine, which I think is the substance of your question; indeed, I am not at all happy to say that, because there will continue to be things that we can do to improve the quality and robustness of what we do.
Can you assure us that we are not likely to see another i6 project any time soon?
I think that, when someone asks you whether that sort of thing is likely to happen, it makes you look at your likely retirement date.
I can assure you that the processes that we have in place are designed in such a way that, if we have good actors and if appropriate attention is paid across the system in 100-plus organisations, such an event will be less likely to happen. However, if you are asking for a cast-iron guarantee that we will not see such a project again, I am reluctant to give you that.
Thank you very much for that. Back to you, convener.
I simply note that, at the moment, Police Scotland has five major ICT projects under way. I hope that another i6 is not around the corner.
I call Craig Hoy, who has some questions to ask.
Good morning. Mr Huggins, the 2019 report suggested that a single individual be made responsible for overseeing Government ICT projects. The Government took that recommendation on board and said that it would consider it. You are the director of digital, so is that your role? If it is not, can you give us an indication of where the Government’s present thinking is in relation to the creation of that role?
It is an interesting proposition and I reflected on it when I was rereading the 2019 report and the report that the previous incarnation of this committee produced last March. In part, this comes back to my answer to Mr Coffey, which was that, within accountability and how we understand these programmes of work, we do not see ICT as something separate from the delivery of good-quality public services. That is in the same way that, across the Scottish Government, we do not have a single person who is responsible for public sector workforce projects and programmes of work.
We do not like to see stand-alone information technology projects; we look for them to be woven into the business model of the public sector agency that is taking forward the delivery of particular services. For that reason, it is entirely appropriate that accountability for individual programmes of work sits in the accountability structure for the wider responsibilities of such organisations, whether that is a health board, an organisation such as Forestry Scotland or an agency. That requires the person who is the accountable officer in the organisation to be thinking about digital as part of his or her armoury in how they take forward change.
During the autumn, we reflected on our connective tissue and we identified the need to improve our work on what we might describe as horizontal functions, which are functions that are common to each programme of work, such as the capability to deliver, the cybersecurity wrapper and the process of protecting privacy and delivering GDPR. We think that the digital directorate, alongside other directorates such as internal audit and assurance, has a role in raising standards generally, to give accountable officers and senior responsible officers across the organisation a better chance of being successful in the delivery of their programmes.
The other element is mapping that across the different ecosystems in which we operate. We do not have a single digital public sector ecosystem. At an abstract level, perhaps we do, but once we step into an area such as justice, the majority of nearly all the functionality that is delivered in digital is delivered by external public bodies—Police Scotland, the Scottish Prison Service and the Scottish Courts and Tribunals Service. The challenge for those organisations is to work effectively together towards common objectives in respect of the protection of the public and rehabilitation of offenders.
Some of the ecosystems are closer to the Scottish Government. For example, for agriculture and rural economy, the majority of functions sit within the Scottish Government or its agencies. Again, we are looking for that ecosystem to be working effectively with a shared set of objectives, and for each of the organisations within the ecosystem to have its own accountability.
09:30If you were to decide to allocate all that accountability to me, there would be real risk. First, I would be very busy and would probably never sleep, and secondly, it would, to a degree, mean that those people who were actually closest to the action would not be discharging their accountability functions in an appropriate way.
Was that quite a long way of saying that the Government has discounted that recommendation?
It is too strong to say that we have discounted it. We understand the intention behind the recommendation, which identifies the need for us to give clearer direction around a number of those horizontal functions and to improve robustness. In some areas, I think that it will take us towards giving greater direction on things such as architecture. However, I do not agree that we should divest the accountable officers who are responsible for delivering services of accountability for the digital component of that service; I think that would be a wrong step.
To go back to the recommendation, it was not necessarily about making someone accountable, but was about having an oversight function. Is there not a need for an oversight function with a clear line of accountability?
The text of the recommendation identified the function as involving a single officer who would be responsible overall. That feels quite strong—it feels like accountability. In the context of accountability, my concern is that that would begin to produce confusion as to exactly who was responsible for delivery.
In addition, the money that is used to support the digital programmes comes from allocations that are made to individual public bodies or agencies, not from a budget that I hold. The choices that are made regarding which programmes to take forward and initiate, therefore, do not sit with me. The challenge of being responsible for things that I do not control is slightly worrying.
As I said, I understand the import of the recommendation. With regard to the mischief—the sense that there is not sufficient direction, control and orchestration—I would agree with that assessment, and we are, through the digital committee and the horizontal work, taking a number of steps to address those challenges.
Ms Fairweather, I saw you nodding in agreement there, so I assume that you are going to validate that position. From an audit, governance and accountability perspective, would it not make sense to have a single figure in the Government on whose door we could knock if we had concerns about the way that ICT projects were developing?
I echo much of what Geoff Huggins said. The accountability for the delivery of public services sits with the accountable officers in the organisations responsible, and that incorporates the digital element of the delivery of those services. Each of those bodies has its own assurance framework: they have external and internal audit and they are accountable to Parliament for delivery of those public services, so it is right that accountability for the digital element of those services sits with them, too.
We work closely with Geoff Huggins’s team and the public bodies for which we provide an internal audit service, but I would expect to be looking first and foremost at the individual bodies and their accountability for their projects within those bodies. We will then work within the Scottish Government on—as Geoff Huggins put it—the horizontal themes, the lessons learned and ensuring that all the structures and processes are in place to support as good a delivery as possible.
The key point for me is the point that Geoff makes: IT is an enabler, and it is very difficult to extract the IT element from all the rest of the delivery of improving public services. It all has to be part of the whole in order to deliver that change in service.
Mr Huggins, I think that Mr Coffey referred to the major projects that are currently under way, which are critical to the delivery of the digital strategy. At this point in time, are there any that are giving you further sleepless nights?
The specific major projects to which the digital strategy referred generally focus on the area that we have described as common platforms. For me, that is the work on the use of cloud infrastructure, the work on identity and the work on payments. Each of those sits within my responsibilities as well, so as a consequence they are more likely to keep me awake at night.
The broader strategy mentions a number of different areas, but it does not have a particular focus on any particular major projects, as they sit within other strategies, whether that is the health and care strategy, the justice strategy, or the education strategy.
On the areas for which I am accountable and in which the digital directorate is in the lead, we have done some work since the summer of last year to reorganise and address how we deliver the programmes. In December, we made the first run of payments using the Scottish Government’s payment platform, which was a key milestone for the delivery of a programme. We made a payments run for the independent living fund, and we expect that that will be the mechanism by which independent living fund payments are made by the time that we get into the summer. That programme of work is clearly working its way through the process of minimum viable product to alpha and beta and into live service.
There will be quite an interesting change for us because, with the exception of some work that we do around publishing through the mygov.scot website, that will take the Scottish Government into delivering a live technology service to more than one external public body, which will then rely on that. That takes my team into having to build a new set of skills relating to the robustness and on-going management of technology and into commercial models. In effect, we are going through the process of building new skills in teams within the directorate to be able to accommodate that.
Alongside that, there is the work on identity, which is a key concept in digital technology. I am talking about the idea that I can demonstrate to a body that I am me and I can use that identity to do things, such as make a payment or access a service. That involves complex technology, and the United Kingdom Government and other European nations are working on that. We are talking to colleagues from Denmark and Estonia who have also taken forward programmes of work in that area.
Over the past four or five months, we have made significant progress in that work in relation to the delivery of a single sign-on product. That is a first step. As we go into the second half of this year, we will be looking at attribute stores. Quite a lot of change is needed to make the programme considerably more robust, and there will be a review of the programme management and governance for each project.
The other thing on my list is the work on cloud services and cloud infrastructure. I suppose that that is an enabler of an enabler. We anticipate that, as we step into the next period of time, most public services will run on cloud rather than on more traditional on-premise services. Over the past couple of years, we have seen each organisation having to build some of the core infrastructure—not directly, but quite often through third parties—as it makes that journey. The core infrastructure is pretty common. It is the sort of thing that should be used many times having been used once. If we are doing something in a common way, that also allows us to think about how we can bring it within our cybershield. Doing something in a common way makes it more predictable and less likely to fail.
That programme of work is slightly more mixed than the other two programmes. It involves developing the conceptual model of how we take that forward and some of the core infrastructure in relation to account management and FinOps, because cloud is notoriously a service that is paid for on the basis of consumption, so how one architects particular technology will affect how much it costs to run.
All those programmes of work keep me awake at night at different times. However, I feel considerably more comfortable now than I did in the summer of last year about the skills capability and work that is going on.
In relation to how comfortable you feel, can you provide the committee with an update on how the social security software components are progressing?
It has been a really interesting programme of work. It is a major technology investment and transformation programme. Social Security Scotland launched the child disability payment at the end of last year and is in the first phase of the adult disability benefit payment. In effect, it has brought across nine out of the 10 major benefits that it wants to bring across. It is clear that it has learned and has iterated and applied a lot of the design in the way that we would expect; it is building very modern infrastructure of the kind that we would expect to see.
I sit on Social Security Scotland’s programme board and meet its senior technology leader on a regular basis, so I have good visibility of that programme. That is a good example of how we work across the Scottish Government to build confidence in the work that is being done.
The social security work has been a major undertaking. The fact that it has gone remarkably well is a testament to all those who have been involved in that work. I think that I was on the programme board as far back as 2017, and it is just as interesting to see what is being done now as it was to see what was done at the start. The capability that has been built up over the past seven or eight years in order to build the system will begin to become available to other programmes of work, as Social Security Scotland moves into a business-as-usual model and moves away from the very significant development phase that it has been going through. I hope that, by the time we get into 2024, I will be offered technologists, service designers and user researchers that I can deploy across other programmes of work.
The final area that I want to ask about is financial controls and prioritisation of spend. Audit Scotland’s “Enabling digital government” report highlighted that there is no complete picture of the number and cost of digital projects across the public sector. In response to our predecessor committee in March 2021, the Scottish Government said that it was about to implement a new spending controls process. Could you bring us up to date on that and tell us where the Government’s thinking is in relation to IT prioritisation and control of spend?
That is a really interesting and quite challenging programme of work. I have two or three points to make at the outset. First, we are being very careful to ensure that it is not simply another layer that replicates what is already happening through the digital assurance process. It needs to add a different value, as opposed to being a further process that people go through.
Over the autumn and into this year, we have spent time looking at the interaction between those different processes, such that we can explain how, cumulatively, they add value and demonstrate that they do not amount to duplication. As well as doing that piece of work, we are conscious that applying a control through such a process interacts with accountable officer and senior responsible officer responsibilities. That takes us to an approach that is focused on identifying and highlighting risks, and escalating them into the accountability space to look for an appropriate response—such as mitigation or change of direction—within that process, without looking to dilute the accountable officer responsibility.
As far as the practicalities are concerned, we have done an analysis of how we spend money on digital, which takes what might be described as a sideways look by going through and tagging where money has gone on digital—whether on contingent staff, consumables or contracts and procurements—which, at times, can be difficult to do accurately. Instead of looking down the individual programmes, that involves looking almost sideways at the budget.
09:45That has given us a set of interesting challenges. For example, if an area struggled to recruit and then took on contingent or contractor labour, there would be additional costs in that space. Equally, there would be a challenge relating to the next stage, because having an externally managed contract would lead to further costs. Those things tend not to be that visible in the process of looking at individual programmes of work and understanding those dynamics. As part of the process, we are working through how we understand how money is used.
In relation to practical application, we have agreed that we will run a pilot, which, in the interests of fairness and transparency, will apply to me first. I guess that it is the idea of eating your own dog food and taking that learning. I am keen that we experience exactly what it feels like to be subject to spend controls. We are looking at two or three programmes of work on the Government’s internal technology. Those relate to, for example, the process and evolution of telephony over the next period. In effect, we are considering, if we apply the framework that is being developed, how it will operate in practice.
We should reflect on one further issue. If we apply spend controls, that suggests that we have knowledge of what we might expect to find in relation to a particular type of programme, so the work that we are doing on component-based architecture, architectural principles, capability and design will become very relevant to a spend control process. If we make an assessment, it will not just be an individual’s view, with someone saying, “I’m a professional, and I think you should do it this way.” Instead, we will have consensus on what we might expect to find in an individual programme. That work is still developing. Particular structures are being put in place to create some agreed frameworks for how we do things.
That is where we are. We are in a test period while we develop some of the artefacts that sit around the issue. We are conscious of how the work fits into the broader ecosystem of governance and control.
I have a final question on a specific project. Earlier, you mentioned the Covid status app as an example of agility in the Government’s IT and, I assume, procurement processes. I just want to interrogate the dynamic of how the spending control process would work in practice. The initial estimate for that project was something in the region of £600,000, but my understanding from recent media coverage is that the cost ended up at £7 million. How would the spending control process ensure that such a project worked? I am not sure that that level of spend even counts as a major ICT project, but I want to understand how such a project evolves and what spending control mechanisms are in place.
I have not seen the financials, but one of the key elements of the componentry that goes into such a programme of work is the validation of identity. When you signed up for the app, which I presume you did—
Reluctantly.
—you were validated. That involved the tying of your identity to a particular set of data on the vaccination database. If I understand it correctly, that process requires a one-to-one matching of you with your data through the Jumio product. We have the same challenge with our identity programme. That process has a component cost; I guess, based on markets, that it probably cost something between £1 and £2 to do that match. There is a market associated with the UK Government contract framework for such services. Every time someone signed up for the app—2.5 million people signed up—there would have been a cost of somewhere between £1 and £2. At the beginning, those components of the cost of the project were probably not contemplated.
Again, I do not have direct responsibility for that project, but I guess that that shows how something that you had not anticipated that you would need to do becomes a cost in a project.
I presume that that talks to the point that the control mechanisms in Government maybe still need to be tightened up.
It probably comes back to a design issue but, in fairness, the urgency with which the programme is being taken forward probably takes it into a slightly different box. With my identity programme, which will require a similar type of service, if in two years you are asking me why it cost three times as much and I say that it is because I did not quite realise that I was going to have to pay for identity services, I would look a bit daft. I have the time to work through that and to budget for it appropriately.
One reason why the committee has had an interest in major ICT projects down the years is because there have been some fairly notorious cost overruns and failed applications such as those in NHS 24, the Scottish Public Pensions Agency, the common agricultural policy futures programme and the police i6 project, which has been mentioned.
I want to go back to your point that there is an existing structure of accountable officers. The committee has previously said that a much firmer grip needs to be taken of the issue and that there need to be much clearer lines of responsibility. As I understand it from reading the list of Police Scotland IT projects, it has five or six on at the moment—well, five, anyway. There are projects on the unified communications and contact platform, digital evidence-sharing capability, the national integrated command and control system, core operational solutions and mobile working. Who has oversight of all those different projects?
Those programmes will appear on our list and will be subject to the assurance processes that are taken forward through gateway reviews, but the accountability for them sits with the accountable officers in Police Scotland and the Scottish Police Authority. That is appropriate, because the programmes are mechanisms by which those bodies discharge their functions of delivering a police service—they are not IT or technology companies, but they are required to build that into the process of delivering the service that they deliver. Therefore, the accountability sits with them.
What is different now compared to the position when the i6 project was under way?
A number of things are different and a number of things are changing. First, we have better knowledge of why things do not work and lessons have been learned and are being applied. We have greater attention to the capability and also to digital leadership in organisations. One of our key objectives in the next 12 months is to increase the number of senior people across the public sector who are in effect digital professionals. We want to move it from being at a lower level in organisations, with digital services being managed by generalists, to increase visibility of digital leaders in our organisations, including the Scottish Government.
This year, we will run a deputy director board to effectively establish a number of digital, data and technology professional deputy directors who will sit in portfolios and bring their knowledge and understanding of programmes that work. That is elevating the digital leadership component, with the objective that those people will be part of senior management teams across the organisation. That knowledge, capability and leadership are core. Alongside that, we have the leading in a digital world programme, which works with people who work in the digital space as well as other leaders. The programme is part of the Scottish digital academy’s work to increase knowledge and understanding of digital programmes that work. It extends beyond the design components and elements into understanding governance and control of process as well as what can go wrong and what has gone wrong.
A number of things are in place. However, the bigger set of changes is the work on horizontals, whether that is through better assurance and compliance or understanding the implications of running services directly. Increasingly, we are digital organisations. Ten or 15 years ago, we were not digital organisations and we maybe had third parties who did digital things for us. Now it makes no sense for us not to see ourselves as, in effect, digital organisations.
We may have a session in the future when we drill a bit more deeply into some of the individual ICT projects.
I will now hand over to Colin Beattie, who has a number of questions.
I will build on what the convener has been talking about. Over the past 11 years on the committee, I have seen a whole progression of ICT projects that have failed, or that have failed to deliver what was expected. In some cases, they were abandoned.
We have had responsible officers and accountable officers in front of us. We have heard assurances that there was an acceptance that accountable officers did not necessarily have the skills to manage those projects, and that, within the organisations, there was a lack of end-user understanding of how to interface with the technical experts who were building the programme. Again and again, that has created unwarranted optimism, followed by dismay, when what is delivered does not comply with what was sought.
Over a period of years, the response was for layers of management to be thrown in centrally. At one point, it was bewildering to try and understand which layer did what. I am assuming from what you are saying that that has now resolved itself somewhat, but I do not understand where the change is. We still have the accountable officers being accountable for the projects. The idea was that a central capacity would be created to provide those officers with support to help them identify providers and to help them, as end-users, to gain the skills that were necessary to ensure that the projects delivered what they were supposed to deliver.
We received all those assurances, but I am not clear from what you are saying whether they have actually been delivered. I would be interested to get a little more information on that.
I guess there are a couple of elements there. The work that we have been doing through the digital transformation service is key to this. That is one of the divisions within my directorate that has a focus on how public sector agencies and public bodies work their way through the change process. That tends not to involve the megabodies, which are often well resourced and that have available digital resources, internally and externally.
The digital transformation service is focused on delivering support in a number of ways. It hosts the digital commercial service, which is a joint piece of work between me and the Scottish Government’s director of procurement, Nick Ford. That service deals with how we buy things and how we manage contracts—ensuring that we are buying things in the way that we should buy them, with a sense of surety as to what we deliver. The digital transformation service also hosts the design capability within the directorate, which addresses how organisations work through the user sensor design process and applies items such as accessibility and elements that are core to what we do.
Alongside the work of the platforms division, the digital transformation service is involved in the process of beginning to scope out the public sector architecture and componentry. We have recently used the digital fellowship programme to bring in a senior chief architect. That programme will effectively operate as a sub-board to the digital committee. That is saying how a programme of work should be architected, if it is to produce a greater likelihood of success. We then have the work on the profession and capability, which is taken forward by a separate division. The orchestration of those different elements, which go towards giving a better chance and opportunity of a successful programme of work, is part of the change that we have put in place and that we are continuing to pursue.
Understanding what other organisations need and the best way to provide that to them is also a service. It is not simply about running seminars and providing guidance or telling people what to do. That takes people and organisations to a particular point but often the next stage is for them to ask us how they can apply that knowledge in their own context. That question leads us to work together more closely in a process that is a bit more engaged.
10:00That functional capability from within the directorate is intended to address some of those issues. However, to be fair, it is more likely to apply to medium and smaller public bodies because larger public bodies, such as the national health service or Police Scotland, are on such a scale that they have their own digital departments and agencies. There are different ways of operating.
Although the NHS and Police Scotland have their own digital people, they have still had IT projects that failed because they did not have the skills to manage the contract. Even contract negotiation has been an issue in some cases. How are we providing them with support in such things? From what I understand from what has been said, the individual accountable officers within the areas in which those projects fall would still have the final say in how the project is managed. Do you have the authority to overrule them if you feel that they are going adrift?
There is a set of arrangements in place on procurement in the digital space. The procurement aspect is handled by the director of procurement using the frameworks that we have in place for purchasing things and the procurement process. Those are robust processes.
Over the past 12 months, we have developed increased support in respect of contract management to ensure that there are robust arrangements in place to manage people who have sold us things or who are selling us on-going services, because things often go wrong after procurement. It is important for organisations to understand the tools and techniques, the documentation and the review that we would expect as part of good contract management. That is an area that has been strengthened through the creation of that additional function between me and the director of procurement.
The challenge is that there are many reasons why a programme of work might fail. Those reasons are often historical—perhaps the model or approach could never have been successful, or the demand for the service that people thought was there was not there at all. It is a common challenge for Governments across the world when they build services that people simply do not use. We are increasing the use of design, testing, MVP and piloting projects as part of the process to reduce the number of project failures.
Most of the projects that we have seen fail have failed not because they were delivering something that the public did not want but because they eventually delivered something that the department or division concerned did not expect, and it was a case of a difference of interpretation between the end users and the techies building the system. It is vital that there is an understanding between the two, yet, again and again, what is being delivered is less than or different from what was expected and unable to be used for one reason or another. Given all that, I would have expected stronger central support.
You have talked about contracts, but surely each individual accountable officer does not have to be trained in the intricacies of a contract to build new software. Is that not the sort of thing that could be centralised, with experts going through contracts and ensuring that all the safeguards are in place? We have seen systems built that had no safeguards at all—there were no penalties on delivery and all sorts of basic things. Is that not the sort of thing that could be usefully and helpfully centralised?
Once you begin to unpick the components of a programme and ascribe elements of that programme to a central function, there is a challenge around the degree to which accountability becomes tangled.
We could maybe take a step back and think about why programmes succeed rather than why they fail. Mr Hoy asked about the social security agency. Social Security Scotland has in place very robust governance arrangements for its programme of work, which the accountable officer is directly involved in on a regular basis. There is a clearly appointed senior responsible owner, supported by the technical capability to execute, both in terms of the technology and design aspect, and the business and commercial aspect. They will then also work with my colleagues and Nick Ford’s colleagues in procurement in relation to understanding the wider dynamics, so they will have some support. However, within their programme of work, they are assuring themselves that the money that they are spending is being used wisely.
That element of understanding the ingredients that you need to put together within the delivery of a major programme is the learning that is being applied through things such as the gateway reviews, which, at the outset, consider whether the resources are in place to give the programme a chance of successful execution.
Earlier, you said that you were expecting technical expertise to reside within the different areas, and the accountable officer would be able to access that expertise internally within his area.
Again and again, what has come to light is that there is not enough technical expertise in the market—there is a huge shortage. Scotland is not alone in that regard. The last estimate that I saw, which was several years ago, was a shortage of 300,000 of such people across Europe. That is a big number and those who are available are demanding salaries that are way above the normal scales. At one point, they were being paid off scale to try to get them in.
Is it realistic to expect that each area will be able to recruit, at some considerable expense, that sort of skill to enable them to build a system? Would it not make more sense for the skills to be available centrally to give that support in a rather more cohesive way?
It is interesting: we came to that conclusion last year in respect of the recruitment of digital professionals. On the basis of that, we developed a proposition under which we would create a separate digital recruitment function, sitting between my directorate and the people directorate in the Scottish Government, that would be focused purely on bringing technical expertise into, initially, the Scottish Government, but, over time, the wider public sector.
We need to understand the dynamics of that market. Digital professionals have skills that enable them to work where they wish and on the projects that they want to work on. As a consequence of that, they tend to move more frequently. Our model of the person who joins Government for life does not apply to digital professionals. We need a way of thinking in which we are continually recruiting. Even if we do not have a vacancy for a programme delivery manager in digital, we should be recruiting for one, because we know that, in six weeks, we will need them.
We have agreements in place for a new service that will launch this year and which will focus on and use the techniques that are being used externally by private sector agencies to recruit digital talent. It is about understanding how people in that space apply and how they expect to interact with the recruitment process. They do not expect a traditional governmental approach.
I recall recruiting in the NHS a couple of years ago, and somebody wrote on their application form, “I’ll tell you at interview,” in response to each of the questions and declined to enumerate any of their competences or skills. We had to work with candidates who we thought were credible to enable them to apply so that we could assess them fairly. We needed, to some degree, to bring them into our world. We will have a new process for bringing that skill into Government.
In terms of values and salaries, we are doing some work on that in the context of the review of digital, data and technology allowances, which shows us that we are not uncompetitive. There is a real risk that Government, as it accelerates and puts more money into the digital area, begins to distort the market, simply because of the demand. If we do that, in effect, we push up the cost of all programmes of work.
For most roles, our salaries are not uncompetitive, but we will struggle to pick up particular skill sets in areas such as cyber, which are like gold dust across the system. Again, it is a case of understanding the process by which we recruit in terms of the dynamics of those we are looking to bring into the sector.
In my experience, there are many people in the private sector who would happily join the public sector; they are people who are motivated by having interesting things to do. Although some people may be motivated by money—we probably do not want them—programmes such as building a new social security system, assisting with the process of helping Ukrainian refugees to come to Scotland and developing a national care service are the really exciting projects of our age.
Although some people may be excited by things such as selling holidays or social media, there are many who will be attracted by the opportunities that exist to change the world, or to be involved in that process. We have not sold ourselves in that way, so we have a number of measures in place that are particularly designed to increase capability. That is one area where we think that there is value because, in the absence of that, all the different areas will be competing with one another for the same talent.
If we look back at previous ICT projects that have failed, we can see that it is almost invariably the case that those are projects in which an NDPB has been involved. That has been the picture historically. How do you provide NDPBs with support? How do you ensure that they do not just go off on their own and create rubbish, which, in some cases, has happened in the past?
So—
At this point, I would like to bring in Sharon Fairweather, who has been trying to get in.
Sorry.
It is not that I do not like listening to Geoff—he is very interesting to talk to.
I should also say that we are getting tight for time.
We talk to every NDPB on a six-monthly basis about their projects. As those projects come on to our project register, we know from an early stage what projects NDPBs are involved in. Right from the start, we get involved in doing the risk assessment around the level of assurance that they need on those projects.
I want to make a couple of points. The technology assurance framework has developed in recent years, partly as a consequence of things such as the common agricultural policy futures programme. With some of the programmes that you referred to as having failed, we have put in significant new assurance structures and have continuously developed them further, using the lessons that we have learned from such programmes. The historical timeline of the projects that you referred to must be borne in mind.
In the period for which the technology assurance framework has been running, we have done more than 300 reviews on major projects—on digital standards. That is not to say that we have reviewed 300 projects, because some projects have more than one review, but because we have done that at various stages, we have been able to capture issues earlier in those projects. There have not been 300 or 150, or even 50, projects that have failed. Some significant projects have failed, but, to an increasing extent, the lessons from project failures are being built into the assurance frameworks and are being caught earlier.
As we have said, we cannot give the committee an assurance that there will not be another project failure; none of us can do that. However, we are seeing continuous improvement in the way in which projects are being delivered. We know that there are areas that we need to look out for. Capability and capacity of digital resources is one such area that we see often, but I think that we are beginning to catch some of that at an earlier stage.
There is one other point that I want to make. Under the technology assurance framework, we have the option to stop a project if we think that it is going seriously off the rails. That is in place, if it is needed.
In view of the time, I will pass back to the convener.
Thank you. I thank the witnesses for their evidence. There are some issues that we will be keen to pursue. As I mentioned earlier, we hope to have a session with the accountable officers for particular projects that have exercised our interest.
I thank Geoff Huggins, Jonathan Ruff, Sharon Fairweather and Donald McGillivray for presenting themselves before the committee; it is appreciated.
I suspend the meeting while we change witnesses.
10:15 Meeting suspended.