The House of Commons' Work and Pensions committee heard fierce arguments for and against publishing Gateway reviews into government IT projects
The report of the House of Commons' Work and Pensions committee devoted a large section to Computer Weekly's call for the publication of Gateway reviews.
The reviews are carried out by independent teams, usually of four or five people, who are appointed by the Treasury's Office of Government Commerce. They give an assessment of a project's strengths and weaknesses at various critical stages, from inception to the scheduled delivery of benefits.
The reviews are secret but Computer Weekly has called for them to be published because it would allow IT staff, Parliament, stakeholders and others to see if projects are on course. Ministers and departmental heads are not at present obliged to publish any information on how projects costing millions and sometimes billions of pounds are progressing.
The Work and Pensions committee, for example, was frustrated by the Department for Work and Pensions when MPs asked for details of internal reviews of IT projects.
The committee's report said, "The secretary of state told us that alongside the IS/IT structures, the DWP has put in place 'robust risk management processes'.
"However, our evidence indicated that there is insufficient compliance with good practice, suggesting that management of risk and governance, especially project planning, are still under-developed. We are unable to know the extent of the problem within the DWP because of non-publication of key documents, such as business cases and Gateway reviews.
"But on the basis that adherence to best practice by departments remains patchy, we remain concerned that deals are being signed and projects are being managed that do not follow best practice."
The committee was told that Gateway reviews are not made public because secrecy ensures open and honest exchange between the review and project teams. MPs also heard that review team recommendations are not compulsory.
Giving evidence to the committee, John Cross, the then DWP's interim chief information officer, said he could not see why a Gateway review should not be published. But he added later, "A point which to us seems to be important is that there is an extremely open and honest culture within the organisation about declaring these needs openly. Sometimes organisations clam up if they feel there is a threat.
"I have come from organisations where the history was that you did not like to ever declare that anything was wrong because you thought that was a weakness, whereas actually, it ought to be a weakness if you do not declare that things are wrong."
Cross said he wanted to create an environment where people could "say what they like" on project issues. "My one real worry is that if people became too concerned about the publicity over their declaration of concerns or issues, that this might dampen them," he added.
One suggestion to the committee was the publication of a summary of Gateway reviews. However, the committee's report said, "the DWP was not even willing to consider publishing a summary version of Gateway reviews." The department gave as its reason that "it is not within the gift of the department unilaterally to reverse that policy [on non-disclosure] without review and debate of the policy led by the OGC and across departments".
The committee responded, "We believe major IT projects should be subject to close scrutiny during development."
Several witnesses who gave evidence to the committee supported the case for reviews to be published. "It struck us as very odd that of all the stakeholders, the DWP should be the one which clings most enthusiastically to commercial confidentiality to justify non-disclosure of crucial information, even to Parliament," the committee wrote.
The report cited submissions from this publication which suggested that if Gateway reviewers believed the quality and rigour of their work would suffer from the publication of reviews, the reviewers might be too culturally close to those they are investigating. As a result, they might not be sufficiently independent and objective to reach the tough conclusions that Gateway reviews sometimes demand. The committee described this point as "valid".
The committee added, "We are not convinced that the Gateway review process is so fragile that the current levels of secrecy are necessary. We are genuinely sympathetic to any reasonable argument that justifies some material to be excluded from the published version of a Gateway review, but in our view, the government's objection to publishing Gateway reviews is based on an untested assertion that publication would invalidate the review process.
"Publication of inspections and reviews is a widespread feature of public life nowadays and there is no reason why a major public IT project costing millions of pounds should not be subject to the same open scrutiny that applies in other areas in public life."
The committee recognised that the reviews have limitations but recommended that the government "should publish Gateway reviews with appropriate safeguards or, failing that, to set out how Parliament otherwise can be provided with the level of information it needs to scrutinise adequately questions of value for money from major IT contracts".
In the event that the case against full publication of Gateway reviews can be substantiated, "we call upon the department to provide a summary document of each review within six weeks of the review being completed".
More steps to genuine transparency
The committee's report suggested government departments publish strategic, outline and full business cases for each major IT project.
This would, at an early phase, "provide Parliament with most of the necessary information with which to assess the outcomes of the IT programmes and business transformation, while still protecting the Gateway review process. It also places the onus on the department rather than on commercial organisations to provide the project planning."
Computer Weekly's suggestion that Parliament might wish to order independent audits of major projects that are in trouble was also noted. The committee concluded, "We consider that the case for independent audits... is something Parliament may wish to consider, if the government does not provide Parliament with the necessary information."
Computer Weekly's evidence
The Work and Pensions committee report cited a series of key points from Computer Weekly's evidence. These included:
The problem with IT failures was not a shortage of best practice, but the lack of adherence to best practice
End-users must buy into the project. If a system is imposed on end-users the risk of failure is greatly increased. Departments sometimes think they have buy-in of end-users whereas they may have the support of groups of end-users who are so familiar with the project that they have emotional equity in its success and cease to be objective
Large sums seem to be devoted to projects where... the risks are very high, where it is recognised that those risks are high, but the policy driving those decisions is such that the IT has to be implemented
Large-scale tailoring of tried-and-tested packages can prove as risky to implement as custom-built software, particularly if the original software has been written for mainly overseas clients. It appears to be more sensible to simplify working practices to suit the software, rather than change the software to suit working practices
Gateway reviews are invaluable but departments do not have to act on them.