The House of Commons' Work and Pensions committee heard fierce
arguments for and against publishing Gateway reviews into
government IT projects
The report of the House of Commons' Work and Pensions committee
devoted a large section to Computer Weekly's call for the
publication of Gateway reviews.
The reviews are carried out by independent teams, usually of four
or five people, who are appointed by the Treasury's Office of
Government Commerce. They give an assessment of a project's
strengths and weaknesses at various critical stages, from inception
to the scheduled delivery of benefits.
The reviews are secret but Computer Weekly has called for them to
be published because it would allow IT staff, Parliament,
stakeholders and others to see if projects are on course. Ministers
and departmental heads are not at present obliged to publish any
information on how projects costing millions and sometimes billions
of pounds are progressing.
The Work and Pensions committee, for example, was frustrated by the
Department for Work and Pensions when MPs asked for details of
internal reviews of IT projects.
The committee's report said, "The secretary of state told us that
alongside the IS/IT structures, the DWP has put in place 'robust
risk management processes'.
"However, our evidence indicated that there is insufficient
compliance with good practice, suggesting that management of risk
and governance, especially project planning, are still
under-developed. We are unable to know the extent of the problem
within the DWP because of non-publication of key documents, such as
business cases and Gateway reviews.
"But on the basis that adherence to best practice by departments
remains patchy, we remain concerned that deals are being signed and
projects are being managed that do not follow best practice."
The committee was told that Gateway reviews are not made public
because secrecy ensures open and honest exchange between the review
and project teams. MPs also heard that review team recommendations
are not compulsory.
Giving evidence to the committee, John Cross, the then DWP's
interim chief information officer, said he could not see why a
Gateway review should not be published. But he added later, "A
point which to us seems to be important is that there is an
extremely open and honest culture within the organisation about
declaring these needs openly. Sometimes organisations clam up if
they feel there is a threat.
"I have come from organisations where the history was that you did
not like to ever declare that anything was wrong because you
thought that was a weakness, whereas actually, it ought to be a
weakness if you do not declare that things are wrong."
Cross said he wanted to create an environment where people could
"say what they like" on project issues. "My one real worry is that
if people became too concerned about the publicity over their
declaration of concerns or issues, that this might dampen them," he
added.
One suggestion to the committee was the publication of a summary of
Gateway reviews. However, the committee's report said, "the DWP was
not even willing to consider publishing a summary version of
Gateway reviews." The department gave as its reason that "it is not
within the gift of the department unilaterally to reverse that
policy [on non-disclosure] without review and debate of the policy
led by the OGC and across departments".
The committee responded, "We believe major IT projects should be
subject to close scrutiny during development."
Several witnesses who gave evidence to the committee supported the
case for reviews to be published. "It struck us as very odd that of
all the stakeholders, the DWP should be the one which clings most
enthusiastically to commercial confidentiality to justify
non-disclosure of crucial information, even to Parliament," the
committee wrote.
The report cited submissions from this publication which suggested
that if Gateway reviewers believed the quality and rigour of their
work would suffer from the publication of reviews, the reviewers
might be too culturally close to those they are investigating. As a
result, they might not be sufficiently independent and objective to
reach the tough conclusions that Gateway reviews sometimes demand.
The committee described this point as "valid".
The committee added, "We are not convinced that the Gateway review
process is so fragile that the current levels of secrecy are
necessary. We are genuinely sympathetic to any reasonable argument
that justifies some material to be excluded from the published
version of a Gateway review, but in our view, the government's
objection to publishing Gateway reviews is based on an untested
assertion that publication would invalidate the review
process.
"Publication of inspections and reviews is a widespread feature of
public life nowadays and there is no reason why a major public IT
project costing millions of pounds should not be subject to the
same open scrutiny that applies in other areas in public
life."
The committee recognised that the reviews have limitations but
recommended that the government "should publish Gateway reviews
with appropriate safeguards or, failing that, to set out how
Parliament otherwise can be provided with the level of information
it needs to scrutinise adequately questions of value for money from
major IT contracts".
In the event that the case against full publication of Gateway
reviews can be substantiated, "we call upon the department to
provide a summary document of each review within six weeks of the
review being completed".
More steps to genuine transparency
The committee's report suggested government departments publish
strategic, outline and full business cases for each major IT
project.
This would, at an early phase, "provide Parliament with most of
the necessary information with which to assess the outcomes of the
IT programmes and business transformation, while still protecting
the Gateway review process. It also places the onus on the
department rather than on commercial organisations to provide the
project planning."
Computer Weekly's suggestion that Parliament might wish to order
independent audits of major projects that are in trouble was also
noted. The committee concluded, "We consider that the case for
independent audits... is something Parliament may wish to consider,
if the government does not provide Parliament with the necessary
information."
Computer Weekly's evidence
The Work and Pensions committee report cited a series of key
points from Computer Weekly's evidence. These included:
- The problem with IT failures was not a shortage of best
practice, but the lack of adherence to best practice
- End-users must buy into the project. If a system is imposed on
end-users the risk of failure is greatly increased. Departments
sometimes think they have buy-in of end-users whereas they may have
the support of groups of end-users who are so familiar with the
project that they have emotional equity in its success and cease to
be objective
- Large sums seem to be devoted to projects where... the risks
are very high, where it is recognised that those risks are high,
but the policy driving those decisions is such that the IT has to
be implemented
- Large-scale tailoring of tried-and-tested packages can prove as
risky to implement as custom-built software, particularly if the
original software has been written for mainly overseas clients. It
appears to be more sensible to simplify working practices to suit
the software, rather than change the software to suit working
practices
- Gateway reviews are invaluable but departments do not have to
act on them.
Shaking up government IT >>