Examination of Witnesses (Questions 40
MONDAY 26 FEBRUARY 2001
40. From the report it is quite difficult
to work out who was most incompetent: Pathway, who were unable
to deliver, who were never going to be able to deliver, the Department
who were signing up to a contract that in my view had more holes
than a sieve, and that has clearly shown howI do not like
the word "incompetent", I should use another wordproblems
have arisen. If you look at page 58, paragraph 3.19, for a start,
the CAPS programme was going along with the scheme and it was
very important that the CAPS scheme worked but that had failed
already. This had actually failed by 1997 as well and yet nobody
had picked it up.
(Ms Lomax) The CAPS scheme involved making changes
which went right across the benefits system and that turned out
to be more complicated than people had appreciated to start off
with. After the February 1997 replan CAPS delivered again to all
its timescales and it has actually been a great success, it is
not a failure.
41. It had been a failure up until then
because it clearly states in the report at 3.19: "It is clear
that the risks of late delivery of CAPS were not well managed
prior to the replan of the whole CAPS and Payment Card programme..."
etc., and people were not being informed, Pathway were not being
informed, the Post Office were not being informed, so they were
going on their merry way with this doomed project and about this
CAPS, which was so important to the project itself, nobody was
actually telling them.
(Mr McCorkell) I think leading up to 1996 the CAPS
programme was running behind schedule to deliver to the then contracted
timetable. That was identified and a major review took place and
major actions were taken, which I think are mentioned in the report,
to put the CAPS programme back on line. So CAPS, as well as the
other two parties, in 1996 recognised that we could not meet the
original timescale defined. We then undertook very significant
action to bring that back on line, and hence agreed the replan
for February 1997.
42. I am not wanting to be political or
anything like that, I try not to be, but one has got to see the
chronology of all this. Did the Government that came in at the
time have the unenviable task of basically clearing up what was
(Ms Lomax) I think they inherited a very difficult
project and it took a long time to get it on track.
Mr Steinberg: The Post Office have got away
with murder because I wanted to get on to them next but I have
not got the time.
43. Permanent Secretary, we have been told
a partial explanation of why we are where we are, that it was
a pioneering project, which I assume you would agree with?
(Ms Lomax) Yes.
44. It was a large project with up to one
billion pounds worth of payments that Pathway had identified,
that is agreed. It was a complex project, that is also agreed.
In that case, when the risk analysis was being carried out, why
was it that the risk of inadequate project management methods,
the risk of inadequate planning and the risk of inadequate risk
management were not even identified as risks? They were not identified
in 1995 and they were not identified in March 1996. Now we find
in April 1998 that they were high probability risks with high
impact expectations. How on earth could whoever drew up the risk
register not have taken that into account, the fact that dealing
with something so large, so complex, meant that management itself
was a risk?
(Ms Lomax) I am surprised at what you say and I am
wondering what it is based on.
45. If you look at page 90, Appendix 7,
item 15 at the bottom of the page, there is a description of risk
and there was no entry in September 1995 and in march 1996 it
says "not identified" and then if you move to the final
column it had been recognised by April 1997 and in 1997-98 it
was regarded as high risk under both headings.
(Ms Lomax) These are the purchasers' risk assessment
of Pathway's proposals and Pathway's own risk registers did not
mention inadequate project management methods, planning and risk
management. I do not know.
46. Who drew up this list? How was it devised?
Who was responsible for that? Was it the Department? Would they
be the people solely responsible?
(Ms Lomax) This was the joint procurement authority
presumably that drew up the list.
47. So who is putting hands up and saying "we
were party to this"?
(Ms Lomax) The DSS and the Post Office. This was a
joint procurement, part of which
48. And neither of you recognised the possibility
that management and risk management could possibly be worth listing
as risk factors? I find that astonishing.
(Mr McCorkell) What we are looking at here, and the
point you are making, is the stage before the procurement and
the difference in the stage up to the procurement. During the
procurement these would have been identified as risks but may
not have been identified as major risks given at that time the
appreciation of the real scale and complexity of what we were
trying to do and the difficulties that we were facing under the
PFI methods of development were not recognised. What is shown
here is that following procurement, when we tried to deliver this,
the risk management methodology immediately started to spot these
as significant risks because we now realised the scale of what
we were attempting and realised the restrictions under the contract
under which we had to develop it. So they became highlighted risks.
I think this is showing that risk management after procurement
picked up these issues. Before the procurement, part of the misunderstanding
of how a PFI contract would work did not highlight these as major
49. Looking at this table it is a devastating
indictment. Just look down the column for March 1996 for all the
items there "cleared, cleared, cleared, cleared, cleared,
cleared, not identified". The security requirements were
seen as a medium risk in 1996 and yet by April 1998 had become
a very high risk. Surely you should have started off with that
as being one of the highest risk problems, should you not?
(Mr McCorkell) I think it is the nature of risk management
that risks (a) can arise later in the process, (b) increase later
in the process, and (c) some risks which you may take off your
register, in fact it is part of our methodology that we keep reviewing
them, may well come back on the register. Again, we are looking
here at a procurement phase and development and implementation
50. You are managers, you are not low level
managers, you are top level managers, you are being paid high
salaries, and one would have thought when it comes to identifying
risk you would want to ensure that you have some sort of consensus
on what both parties were contracting for. Pathway have a legitimate
complaint to my mind because you asked them to share the risks
but you did not tell them what you thought the risks were.
(Mr McCorkell) If I can try to explain just a little
bit further. The security risk is
51. That is just one of them, I am talking
about all of them.
(Mr McCorkell) The security risk was identified as
a risk during the procurement process. There was a proposal to
meet that risk. There was high level definition of the extended
verification process. That was acceptable to the procurement process,
we believed that would work and, therefore, that was down to medium
risk. When we started to develop the detail, as Mr Oppenheim pointed
out earlier, that became much more difficult because of the interaction
between the three parties and, therefore, because it was absolutely
vital to our system it went straight back up the risk register
and became a high risk and would remain a high risk until it was
fully developed and delivered.
52. I just cannot understand, rather than
try to work on the basis of collective wisdom and collective experience,
something that is pioneering, and, therefore, pooling your knowledge
and pooling your thoughts, the Post Office or the purchasers made,
according to Pathway, top of the final two columns that neither
of these risks registered were shared or discussed formally with
them. Surely that is crazy, it is lunatic? Did anyone resign?
(Mr Roberts) That was at the time exactly the way
PFI was expected to operate and we were being
53. When you say, "was expected to
operate", if it is intended to be a pioneering method a pioneering
project, you have to pioneer the method of operation. On something
of £1 billion it would seem to me that pooling ideas on risk
was sheer common sense, not postdated common sense.
(Mr Roberts) I would absolutely agree with you. Q:
Then why did you not do it? Roberts: Because it was not what we
were told to do at the time.
54. Do you not have any initiative? What
are you paid for?
(Ms Lomax) Can I introduce some things in here? The
point that Mr Roberts is making is that the PFI was all about
transferring risks to the people who were best designed to manage
them, and in the thinking about PFI it was very much, "You
do your thing; we will do our thing". Nevertheless, informally,
there was a great deal of discussion about risks during this project,
a great deal of discussion. Risks were regularly discussed at
project boards and steering committees, and all the rest of it.
The difference from our approach to risk at the moment is that
sharing of risks registered now would be formally written into
the contract. We would have a much more open process mandated
under the contract.
55. That sounds much more rational, but
it is not what you signed up to. You signed up to this Report.
The heading says, "Pathway told the NAO that neither of these
registers were shared nor discussed formally with them".
You are just trying to give the idea that there was a meaningful
interchange. Let us ask Pathway, do you feel that there was a
meaningful exchange at an informal level?
(Mr Oppenheim) We would have preferred a more joined-up
approach, which is certainly what will happen now. The problem
was one of silos as I think you are alluding to. The notion was
that we could operate in our respective silos and deal at the
boundary. In actual fact, with such a complex end-to-end system,
which involves processes right through from one end to the other
and back again, that does not work.
56. It is small wonder that IBM dropped
out and the other company. You cannot blame them. You were very
lucky to get anyone who was daft enough to enter into an agreement
with you on the basis that you will not tell them what is at risk
when you, the Department, and you, the Post Office, are the people
who know what is needed and what the operational risks are. How
(Ms Lomax) People have doubts about PFI as the framework
for doing development work for IT.
57. You have doubts about it still?
(Ms Lomax) We have needed to reinterpret what PFI
means as applied to IT projects quite substantially. That is what
all of these reviews and reports you have been doing, the new
guidance is about. What we are doing for our current modernisation
projects, such as Child Support reform, is a very difficult subject.
58. As you did not share risk, let us share
blame. How much of the responsibility for the mess we find here
rests with the Department and how much with the Post Office? Then
you can each tell me who resigned in each as a result of it. Let
us start with the Department. What is your view of this situation?
(Ms Lomax) Speaking as somebody who was not in the
Department when this went on, I have looked at it very thoroughly
in preparation for this hearing, as well as earlier, and I think
the Department actually tried very hard to manage a very difficult
contract, and manage an over-ambitious project within a very difficult
contractual framework really quite well. Far from sacking people
involved, many of the people involved are our most experienced
programme and project managers, on whom we would depend to deliver
projects in the future.
59. You managed it quite well, but when
the contract was signed it was intended to have a trial within
ten months of the full system, and three years later no such trial
had ever taken place. That does not look well-managed. Let us
hear your view of why your organisation did so well?
(Mr Roberts) I have a very similar reaction to Rachel