 Nw'n gweithio cymdeithasol 24 ymddian nhw'n gweithio cymdeithasol a gwaith y Llywodraeth Llywodraeth ar gyfer y cymdeithasol, yn 2017. Rwy'n cael ei ddweud eich gallu gaelu cyfrail yn Gwyl Llywodraeth, gan gael eich cymdeithasol, oedd yn gweithio'r cymdeithio i'n gweithio i'ch gwelliannau ei ddweud i'ch gaelu cymdeithasol. Felly, rwy'n clywed James Kelly ar y byddai'n gweithio ymddian nhw, i ddechrau i Alenon Monica Lennon, perth ystod oherwydd oedd i chi yn celf i gynnwys gyda ni. We have also received apologies from Alex Neil. Item 1 is a decision on taking business in private. Do we agree to take item 3 in private? Yes, we agree. Eiternau ei ddweud yn edrych iedd ystod oedig ein ei dderwrs oedd innangor Prinsipul Colin Cook, director of digital and Moises, chief information officer, Lisa Baron-Brotus, programme director of social security and Andy McClintock, chief digital officer of social security. Before I invite an opening statement from the Scottish Government, I think that I may want to give some comments to put this in context because this is the third report that we have received from Audit Scotland in five years. The committee has also considered critical reports about cap futures and i6, both of which were major and expensive public sector IT projects that frankly didn't perform satisfactorily at all. We don't know the exact cost to the public purse of ICT projects that have not fully delivered but we know it's likely to have been very substantial. It also appears that the public sector faces greater challenges in delivering ICT programmes compared to the private sector. There have, of course, been successes without doubt but we want to be reassured that the Scottish Government and other public bodies have tried to understand fully why previous failures occurred. We also want to be assured that the Scottish Government's new suite of initiatives will actually make the difference this time. On that basis, can I invite Colin Cook to give his opening comments? Thank you and I do welcome the opportunity to have that discussion and talk about the lessons learned from previous IT programmes. I was appointed to the role of digital director on a permanent basis back in June, having done the role on a temporary basis for a few months, and the report has provided a really useful constructive input into our thinking around how we shape up the directorate that I'm now leading, the ways of working, the way we measure success, our structures, the approach that we need to developing our staff. It also helped to inform the Scottish Government's new digital strategy, which we published back in March 2017. I believe that that sets a really important context for today's discussion but also for the efforts that this country is making to make sure it's a successful digital country in the modern world. In our letter to the committee of 25th of August, we set out some of the changes that we're making, changing the structure of the directorate so that we can focus the resources we need on assurance, transformation, service design, the opportunities of new and emerging technologies, introducing a new tiered approach to assurance based on challenging standards, improving skills through our new digital skills academy and the digital champions programme, which works with leaders of the public sector, new approaches to procurement, including the further development of CivTech, the creation of the office of the chief designer to drive design thinking into the heart of government, and the way in which we work on digital transformation and lead projects with multidisciplinary teams that can reflect upon and learn from the lessons that come through the Audit Scotland report. For my part, I believe that a digital country requires a digital government and I'm determined that I build a team that is truly excellent and gives that leadership. I do welcome the opportunity to discuss that with you today. In doing so, I'm joined by Ann Moises, who I think many of you know is Scottish Government's chief information officer, who's leading our work on assurance and the new assurance framework that came out of the findings of the Audit Scotland report. Two senior colleagues from Social Security, Lisa Baron Broadhurst, who has overall leadership of the programme, and Andy McClintock, a former colleague of ours in the digital directorate who's acting as chief digital officer of the social security programme. I think that if there are technical questions around how social security is developing, we'll be in a great position to answer those. Thank you very much. First question is to Bill Bowman. I would like to focus here on the submission of the Scottish Government with the annexes A, B and D, which you're familiar with. I read annex D, which I think is a social security one, short brief to the point, understood that. The A and B seems to be full of impressive language, but it's short on names, dates and numbers. Are you responsible for there being no further IT failures? If so, can you maybe explain briefly how you will do that? For my part, I'm responsible for making sure that we implement a robust process of assurance. I'm responsible for ensuring that we work with projects wherever they occur across the Scottish Government to pick up problems if they're going to occur early. I'm responsible for ensuring that we have clear standards, clear guidance, that there are training courses available for staff across the Scottish Government to help them lead programmes in a modern and effective way. Yes, in that sense, I'm here to improve the way in which the Scottish Government and all the public sector beyond that, working in partnership with local government and health and others, deliver IT programmes. Where have you reached in that process? Well, I'm sure you wouldn't expect me to say that everything is sorted. This is a long-term project. I think we're making good progress. I think we have a good approach to assurance now in place and the work that Anne and her team do, and we've managed to build up that team and increase the resources of it, so I think we're in a good place there. I think we've got the groundwork of good training and support programmes in place. I think we've got a number of examples of good practice where we have co-located multidisciplinary teams that bring civil servants, policy people, together with delivery people that blend internal and external experience in the right way. I think we're getting there and we are certainly improving the way in which we manage IT programmes across the Government. Some examples of the numbers of people that you have, the teams that you have co-located. I just didn't get a feel from this of where you are and how it's working in practice. How many people do you have? How many locations are you in? In terms of the directorate, the digital directorate, we're around about 450 people, but that covers a range of things. That's not all about the management of IT programmes. For example, we're responsible for the rural attitude profiles broadband. About 250 of those people are working in the IT function of the Scottish Government, so we're working to maintain the systems and give civil servants and ministers and others the service that they need from an IT perspective. In terms of doing projects and taking some examples of where we've got co-located teams. In our own office in Victoria King, we have teams working on transformation activities, so we have teams working on the development of a common approach to licensing. Actually, they're based out in Glasgow working with SEPA, co-located with SEPA, and we're doing a new approach to licensing in SEPA, which is on the rather glamorous subject of licensing of SEPTIC tanks, but it is allowing us to test out a common process for how you approach licensing going forward. We've got co-located teams with social security, and we'll maybe go on to explore those, but my team is a partner in the social security programme. We bring technical expertise. We bring delivery expertise into that programme when we're co-located there. We've got a number of examples of co-located teams. I'm happy to take you through. How many people would be focused on, shall we say, preventing future problems? The Office of the Chief Information Officer, which Anne can talk about, has focused on the assurance process at the moment. We have about seven staff, and we're building that. We've ramped that up consistently over the year, but that's not the only way in which we look to ensure that there are no IT failures. That is an assurance process, so that's going in and assessing, and we, of course, draw on external expertise. We have a network of people across government who carry out digital first assessments, who don't necessarily work in my team, in fact, not a majority of them don't, and we draw on external experts to do that. The digital transformation team, as such, the digital business models team, has about 100 people in it, and they're working on various programmes, so they'll be working on our common approach to information, the provision of information, for example, metrics. Some of those projects I talked about earlier, working with SEPA, working on licensing, working on social security. So we've got about 100 people in the, what I might class, the delivery side of this, seven and growing in the assurance side, and then more people working on projects like around data, for example. We've got 40 people in that team. So it's a significant investment in staff and resource to get this right. Let me ask just one more question. From the assurance side, then, have you carried out some assurance functions and found something that you have found? I think I might pass that on to Anne. The short answer is yes. We've been embedding a two-tier assurance process for about a year now, a set of digital first standards which set out how projects should be delivered, and the expectations that we have about how users are engaged, about how teams are constructed, about how projects are run, and we've conducted a number of those exercises. Then we have a specific assurance process for what we regard as high value or high reputational risk projects. Again, Anne's team is responsible for leading those, and I'm sure she'll be able to tell you about some of the specific examples. I can indeed. We've carried out a number of both stop-go assessments, which are major projects. Those are the ones that are over either £5 million or of a significant risk or reputational value associated with them. We've also carried out a fair number of digital first assessments. I can give you the exact numbers. From the launch, which was August last year, we carried out 12 digital first assessments, three in the pilot stage, which was quite important, because we wanted to ensure that the process was one that not only added value to us from an assurance perspective, but added value to the projects themselves, that they understood what we were looking for, and that we had a really good view of where they were going to need support should the assessments come up with recommendations. In that particular area—I'm talking about digital first—we worked very closely with the digital transformation service, which Colin already mentioned, so that, should we identify areas where they need more support—for example, user research, or an understanding of web or quality, we can offer support to go into the teams and they will work with those teams to bring them up to the required standard. Since then, we have done another 12 digital first assessments. On the stop-go, which are the major ones, we have carried out four currently. Those are large projects. Social security being one of the projects that we have carried out at stop-go assessment, revenue Scotland, national registers of Scotland and transport Scotland as well. We have quite a number planned between now and the end of the financial year. James Kelly has a supplementary. Just on this point about assurance, can I ask, is there a dedicated computer audit team? Not within my internal OCIO team, no. There is an internal audit team within the Scottish Government as part of audit itself, yes. Are there computer audits carried out in terms of the systems that the Scottish Government is responsible for? What I can tell you is about the systems that I have personally been responsible for. In running the IT for the core Scottish Government and yes, we are subject to regular audits. Is there a dedicated computer audit that takes place? I am not 100 per cent. My point is that there is a discussion about assurance and in order to provide assurance about the quality in terms of the IT systems that are under development and also those that have been implemented. I would have expected, when I looked at this thing in business, that they would normally be subject to regular computer audit to ensure that the processes and procedures that you have got in place are top quality and delivered into the standard that we expect. It does not seem to be a computer audit function, so how is that fulfilled? What my team does, supplemented by external experts, is to carry out what we call technical assurance, which is an audit at a point in time in a project. I will be clear that those are projects that are in flight, so they are things that are actually in the process of developing or delivering. If I give you a kind of example, the e-counting project, which was the one that did the counting of votes for the local authority elections, was one of the ones that we actually piloted the stop-go process on. For that, we actually created a mixed team. We did not just look at the computer elements. We brought in recording officers from local authorities, and we brought in people who understood the algorithms behind how the counting worked. We determined what the project is, and then we created a team that can explore not just the technical bit of it, but how the technical bit of it works in context. I am not 100 per cent sure that that is exactly the same as a traditional computer audit. It sounds to me as if that will drill into a particular part of the process, rather than having responsibility for a complete overview of the process. I am also not convinced that the example that you have described from a computer audit point of view would expect a level of independence, and I am not sure that that is there. The independence is definitely there. My team is entirely separate now from any delivery mechanisms across central government. As I said, it is often supplemented by experts who work at a UK level in very specific topics. We try very hard to make sure that we succeed in making sure that the team is independent and that it has the requisite expertise to look at the particular project that we are involved with. How is there a segregation between your team and the teams that you are providing assurance to? How is that independence assured? I think Anne has cited the fact that until about six months ago independence was not as clear as we wanted it to be. As part of the changes that we are introducing, we split off responsibility for assurance into a separate function under the OCIO, which now has responsibility for two main things, assurance and the development of staff and capabilities and the professions across the piece. The operational running of the Scottish Government's computer systems is now the responsibility of a new post, which is the chief operations officer, which I think is a better way and more in line with the principles of Audit Scotland of going. I have got a supplementary from Willie Coffey. Thanks very much, convener. I wonder if I could just ask you a wee bit more about this stop-go process. Effectively, that is an assurance process, but I would like to get a wee bit more understanding about what exactly it is, what causes something to stop, what happens between stop and go and what constitutes the permission to then go again. It sounds as though that is a quality check in place, but could you explain a wee bit more about what causes that? Is it event-driven? Is it failure-driven? What exactly causes it to enter that process? How we set this up is that we are intervening in projects at key points in their development cycle, picking up a lot of the key indicators that are in the Audit Scotland report, some of which were previously in our checklist, but that has been supplemented to make sure that we have all of them. We intervene on a mandatory basis now. It is no longer a matter of choice whether projects engage with us. We come along and say that we are going to have a review at a certain point at key points. If we take, for example, a key point in a project perhaps before they go out to tender to put out a requirement to contractors, at that point we would have an assurance team convened who understood the subject matter. What they would do is that they would look at pretty much all the indicators that are in the Audit Scotland report of what good looks like, all the checklist material that we have from previous experience, not just in the Scottish Government but from the UK and from other countries, about the indicators of potential failure. It is either a three- or four-day process with a number of people on the review team. The project provides us all their background material and we have in-depth interviews with the people who are actually delivering the project. At the end of that, there is a report produced that looks at all the key indicators and the expert assurance team gives a view on whether there are areas of risk and, if so, if that risk is such that the project should halt until those risks have been mitigated or issues rectified. We have not put a complete stop on any project in the period since this process has been running, but we have come up with a number of recommendations that the projects have implemented really quite quickly before they have actually got the momentum back up again. If, for example, we came up with a really big issue around a document that was about to go out to tender, our expectation is that they would not issue the document until such times as they had rectified the problems we had identified. Can I just possibly add to that? We also talked about our standards, our digital first standards, and that all significant projects are subject to those kind of reviews. That would review the progress of a project at discovery level, alpha and beta in our terms in the life cycle. The first review of whether a project is following standards is in the exploratory phase. It is in the phase when you are finding out about user needs and you are starting to design the process. I think that one of the criticisms that Audit Scotland has made of us in the past is that we did not engage early enough in checking that a project was being effectively scoped and that user needs were being effectively understood. One of the really important things about the standards process is that it gets in early and it asks questions about the design of a project, not just the way in which it is being delivered. These are basically system reviews, review points. That is an audit process in itself. Who would carry that out? Are people slightly out with the project scope? It is always people out with the project scope. Who are they? Are they software engineers? Are they auditors? What kind of flavour are they? It really depends upon the project. We always make sure that there is a significant technical expertise within that team. For example, as I said to you, in digital first standards, for example, what is really critical is that you have people who are experts in understanding customers or the way in which user research or service design is carried on. They are multidisciplinary teams. The balance of that expertise will be skewed depending upon the type of project and whereabouts it is in the life cycle. Where we have needed to and we have on occasions, we will bring in external expertise if we think there is a particular issue. Maybe that would be around cyber or some very detailed technical issue, where we need external expertise. We bring that in as well. I wonder whether I could ask a supplementary question, because I am getting increasingly confused as to layers of accountability here. Let me just be practical. Let's say that there is a problem ultimately that none of us would wish with the social security system that is being designed. Is it Lisa that I would go to? Is she the one accountable or is it you calling? Lisa is accountable for the delivery of the social security program of which IT has a critical part to play. I am a member of the program board of social security, so I share responsibility for the delivery of social security. My specific role on that is to make sure that in the way in which social security IT systems are developed and digital systems are developed, they do so as far as possible in line with the digital strategy of the Scottish Government. I also have people who work for me who are part of that team. Ultimately, the Accountable Officer for Social Security is in the social security line. It is not you. The buck does not stop with you. It stops with Lisa. Is that what you are telling me? On a specific issue around the delivery of social security, the buck starts with Lisa. On the way in which a program is developed, we share accountability through the program board structure for the delivery of that program. There is not one person responsible for the delivery in its entirety, both design and delivery. There is not one person responsible for this project. As Colin said, his role is to ensure that we have the materials, the tools, the techniques, the people to support us in that delivery. My ambition would be that we do not hit a problem. We actually work together, work with Audit Scotland, work with others and learn lessons so that we actually do not get to a point where we actually have a problem. Just to support these guys in terms of what they were saying, we have just been through a pre-procurement gate. We have just awarded a contract. It is going to be awarded officially or it goes live on the 30th. I think we notified you yesterday. We went through quite a robust review. It is, Mr Coffey, a review, but it is a really robust review. On that panel they had technical IT people, people that knew around the digital first standards. It was quite a rigorous review. It is quite challenging in terms of what we were doing, how we were doing things. It was not just what IT or technical things you put in place. It is what governance do you have around that, what people do you have in place, what capability do you have. It is a real robust assessment around that, if that helps. I am very simple. I want one person accountable for all IT projects within the Scottish Government, and I am not hearing that. I am hearing individual departmental responsibility. Bill? If you have a stop-go system and a stop is missed, then that comes to you, does it not? If the assurance process recommends a stop or misses a stop. The quality of the IT assurance process is a responsibility of the digital directorate and the office of the chief information officer within that, absolutely. The quality of a specific IT programme as a core part of the delivery of a particular programme of the size of social security is a matter for the social security team, but we do everything that we can, and we are responsible for challenging and making sure that they follow the best practice and that all assurance skates are followed and acted upon. We do have the ability, and I think this has come back to this, and that is why their call to stop goes, we do have the ability to stop a project if we do not believe that the best practice is being followed. Interesting. Liam Kerr. Thank you, convener. Good morning. I would just like to go back, if I may, particularly Mr Cook. We heard from the convener's opening remarks that this is the third report, or there have been three reports from Audit Scotland. Do you have oversight as to why previous Audit Scotland reports and the actions taken by the Scottish Government in response have not prevented further ICT issues? My job is to make sure that we do learn from those processes. We are thoroughly acquainted with all the messages that Audit Scotland put. We work very closely with Audit Scotland to learn from that, and I have started to describe some of the things that I believe best reflect their principles. I think I know you have a session with Audit Scotland later, but I think we have had a very positive working engagement with that organisation to develop some of those approaches. On a personal level, I came into this job on a permanent basis in June, so I am not able to really talk with confidence about actions that were taken two or three years ago, but I am able to talk with confidence about what we are doing and how we are learning from it now. It is important for you to be able—I simply put this to you based on the answer, I am not challenging you—but it is important for you to be able to say why things have gone wrong, notwithstanding the previous reports, one would have thought that one of the first jobs that you would have taken would be to look at it and say, why, when previous recommendations were made, were they not taken on board and or were they not actioned sufficiently to prevent this happening in the future? That I take as very much the input to my thinking about how I need to organise this function. As I said to you, we made sure that there is a clear separation of responsibilities between delivery and assessment. I think that is an important thing. We are increasing the training that is available. We are making sure that we can bring in expert staff from outside the organisation where we need to. We are making resources available to projects, to programmes right across the Scottish Government so that they can act as intelligent clients so that they can find the right people to work in their programmes. I mean, for example, a lot of the recruitment that has been done in social security on the digital side has my team involved in that assessment process because we have the expertise to spot—I hope we have the expertise to spot, including the appointment of Andy McClintock here—we have the expertise to identify the kind of talent that we need to deliver. I think there is a lot of criticism in the past that we got the wrong people in the wrong places. I think we are trying to deal with that. All of the reports of Audit Scotland, particularly the report that we are talking about here today, because that took a really great international look at how we manage IT projects, is completely influencing our thinking and our approach. I may come back to the staffing side of things, the talent side of things later on, but the convener also remarked about that this committee is looking for reassurance that things will be different this time. To some extent, I think that you might have answered this, but what specific actions are proposed in the new Scottish Government submission that have not been previously tried, that have not been previously considered such that this time will be different? I think—I may explain to you that we have a new structure, that we have increased our resources, that we are taking a much firmer role around assurance. As Ann said, there was a time when engagement with the Chief Information Officer around assurance was a voluntary type process. Now it is a mandatory process within Scotland's digital strategy. It talks about digital first standards allowing us to stop projects. It talks about the assurance process giving stop-go powers to this team. We have considerably strengthened the bite that the audit process has. I think that is a really, really important difference from the past. When I took up this job, I said that one of my major objectives was to make sure that we had an assurance process with teeth, and that is what we are building. We are making the resources available to do it. That is not always easy within constraints, as one can imagine, but we have made that call and that commitment, because we think that is something that we as a digital directorate is in a unique position to do. Moving from there to public bodies themselves, in previous public audit committees, Scottish Government officials had told the committee members that they had highlighted an Audit Scotland checklist on ICT to the chief executives of the relevant public bodies. Do you know from your review of what has gone before whether that action resulted in any significant measurable improvements? Can I produce a list saying in which projects would have failed otherwise? No. Do I think that it has resulted in measurable improvements? Definitely yes. The checklist was initially, and I am going back to actions taken after the 2012 Audit Scotland report, was literally designed to help senior responsible owners to ask sensible questions of the projects that they are guiding or directing. We changed that as our processes have evolved to ask for copies of the responses to the checklists so that the office of the CIO can run a quality check over the kinds of responses and pick up any danger signals. The questions that the checklist asks are some of the ones that have been highlighted in the latest Audit Scotland report as key indicators of potential problems later. It asks about whether you have the right skills in the team who is delivering your project. If you don't, do you know where to go to? We can pick that up and direct them to the right source of advice and guidance or bodies on the ground. It asks about the funding arrangements. It asks about the governance arrangements. It signposts good practice. Yes, quite a number of the failures that are really high-profile, the I6s, the NHS 24s and the CAP futures. All those programmes were entrained before those assurance processes came into place. I think that if we had some of those then that we could have stopped some of the problems, potentially yes. I won't be able to prove that the process works because if it does work, we won't have the problems. I'm proving a negative. What I'm hearing is that you've developed the process, you've developed the assurance, but how will you ensure that the public bodies themselves also learn those lessons from the previous programmes? One, by making the guidance widely available, but the most effective way is by going out and talking to the public bodies, which we are doing as the OCIO has staffed up. We are sending colleagues out and we're starting with the major projects. We're not spending a lot of time on some of the under £100,000 at the moment, so we're concentrating on the major projects, but we're going out and having engagements with the chief executive, the head of corporate services to explain not just that the guidance exists but why it matters and why it should matter deeply to them and to create a rapport so that they feel comfortable to pick up the phone, ask for advice, ask for help or ask for us to assist in sign posting resources. Just to finish on my section, if you like, specifically to the social security programme, so what specific steps has the social security programme taken to learn lessons from the previous ICT? Okay, so I've been posting 15 months, so one of the things I'm really keen on is I'm really big on lessons learned. One of the first things I actually did was speak to our audit Scotland colleagues about what they've done previous reports that had come out. My team regularly meet, we call meetings every three months and invite people in from other major projects, both in public sector and private sector across government, not just locally. I think we've had 25 different projects in so far. My view is that in terms of that lessons learned, you can't just learn the lessons and put it on the shelf. Our lessons learned is a living document, so we actually catalogue those lessons learned, actually give them an action owner, what are we going to do about it, so lessons that are good, lessons that are bad, and what we're going to do. Certainly the audit Scotland report was really good for us because we were able to put an action plan in the back of that to make sure that actually we don't fall into any of those traps, you know, we're not going to do big bang, that type of thing. So, you know, we've done a tremendous amount of work on lessons learned, but actually not just lessons learned, what are we going to do about the lessons and how we're going to implement them in particular to social security? Thank you. Okay. Colin Beattie. Thank you, convener. Can I say just at the beginning that this document from the Scottish Government is probably one of the more obscure ones that have come forward in this session of Parliament? I should have put a constituent of mine, if I handed it to him on the street, would say about it. However, let me try and pluck a few bits from it and try and expand knowledge. If we look at, we've been helpful if these pages have been numbered, but in Annex A, item six, you talk about an IT assurance framework, which supports senior responsible owners and accountable officers. Can you give me some understanding of the role particularly of the IT assurance framework in relation to that support role with senior responsible owners? How do they work together? What do they do? How do they come together? Basically, what can you tell me? The IT assurance framework is the approach that we've been describing in terms of assessments that are made and where they operate, the various stages that they operate, the things that we look at and the fact that we share those results and discuss them with the senior responsible owners and that we have the ability to stop programmes. One of the key recommendations from Audit Scotland was that all projects were seen within an overarching framework of assurance and that's effectively what we've established under the role of the OCIO. We've also done it in what I hope is a very intelligent way over the first few months of its operation in that when Chief Information Officer, when Anne gives the findings from an assurance, it's not just a sort of tick or no tick. It's a set of guidance, lessons, things that you can learn, things that we expect to improve. Of course, within my team, as I was making the point earlier, we have resources that senior responsible officers across the Scottish Government and beyond can buy into. We actually have somewhere for people to go for the expertise that they need, so it's not just a question of criticising and leaving it at that. There is a way in which they can access skills to address some of those problems. Do you want to? The reason the assurance framework is intended to support senior responsible owners and accountable officers is because it's not just about technical IT, it's about the entire programmer project. One of the lessons that we have learned in the previous experiences is that you have to make sure that the entire range of the team understands what's in the report and it's critically important that the person leading the programmer project understands what's in the report and what the potential consequences of any issues are and what he or she should be expecting their team to do in the way of remedial action. It's not a report that just goes to the IT people. It's intended for the programme and it's specifically intended to ensure that the senior responsible owner, the person who's ultimately responsible for that programme, knows what issues there are and knows what's expected. The senior responsible owner would in effect, for example, be Lisa in respect to the social security system. Is that correct? Stephen Kerr is the senior responsible officer for social security. So Stephen has overall responsibility for the delivery of the social security programme per se. Lisa is his programme director. He's in charge of the directorate within which social security will sit and that includes the programme to develop the new agency and then the running of that agency after that. Does that make him the accountable officer as well? Ultimately Stephen will be the accountable officer for social security, but you've got to remember in terms of social security. Social security isn't an IT project. Social security is about putting an agency in place for the people of Scotland with the right processes and procedures that we will IT enable. So the IT is part of that. So it's obviously a big part, an important part, but it's not an IT project. It's a social security agency for Scotland, which will IT enable. Social security, who's the accountable officer? Stephen Kerr is the senior responsible officer for social security. So he is the responsible officer? Yes. His head will be first on the chopping block, followed by me. So he's the responsible officer, but he's also the accountable officer? Yes. So the two positions actually could be the same? They could be the same. In some organisations they're not. So take an executive agency, for example, the senior responsible owner might be head of corporate services for a project, whereas the accountable officer would be the chief executive. Is the structure going to work? The structure is working actually. The reason those two particular terms are included in there is because we're, this leaves us a point again, we're very keen that this isn't seen as just looking at IT in an island, that there is no such thing as an IT project. The point of doing something that's IT enabled is to actually create a business change or a transformation, and that matters to the person who's running the entire programme, and it matters to the accountable officer if it's an agency. IT contributes and can cause massive problems, but it's only part of the bigger picture for an agency chief executive, for example. So the structures of social security and the governance and the accountability will absolutely work. One of the things, again, from the Audit Scotland report is around making sure that accountability is there, making sure that, you know, there's one route way up to the top, which in our case is the programme board. Yeah, in terms of my activities, in terms of social security, all those boards feed through to that one programme board. On that programme board you'll have Colin there as the representative from the central IT digital function. You'll have lead commercial colleagues, lead finance colleagues. So for social security it all leads to programme board. Big lessons learned from previous programmes that you will know about is when you have groups of people in different areas, and I think that might be what you're getting at, Mr Beattie, in terms of when the accountability sits in different areas. For social security the accountability is in one pillar, in one tier, so that all feeds up to one place. We will get the independent assurance through the digital centre, but ultimately that accountability leads up to one programme board. For social security I'm quite confident that we've got the right governance structures in with the right levels of accountability in order to do that. I'm glad it's so clear. I'm looking at coming back to the stop-go gates. If I look at the, I don't know which, Annex C, sorry, that one doesn't work. If I'm looking at Annex B, 5, 2, is it not a bit of a cop out at the stop-go gates? Isn't that a way of just pushing decisions up into the lap of the lead minister and ultimately the cabinet secretary for finance and constitution? According to this, where a stop-go assessment is made, accountable officer can only proceed following a process requiring the lead minister to agree this arrangement with the cabinet secretary for finance and constitution, who clearly are not IT experts and will be advised by the people who are running the project. The people who are running the project presumably go to the minister and say, yeah, it's okay to continue. That's the expert advice, all right then. What sort of judgment are you expecting the ministers to make for an IT project? Surely that's a responsibility of the civil service to deliver. The civil service will make a recommendation to the minister, but I actually think this, and this is one of the ways in which we're... This will be the same people doing the assessments. The minister will be able to... Will be given the assessment that's been made and the recommendations that have come from Anne's team in particular around that assessment. The judgment on whether to proceed is a judgment that will be taken in a broader context, and I think that's right and proper that it should be taken at the highest possible level in cases of huge public interest. I think what's important, and this again is a reflection of some of the lessons from Audit Scotland is that by going through that process, by making sure that the lessons from an audit are seen at the highest level, there can be no suggestion that decisions are not being taken in an open and transparent way. I think one of the things we learned from some of the Audit Scotland reports was that decisions needed to be escalated, the right level of focus needed to be brought at those at the right time, and this is very much part of that process. This means that every stop go, this is where I read it, every stop go will end up with the accountable officer going to the lead minister who then has to go to the cabinet secretary. That's how I read this. Only a stop? Only a stop that the programme disagrees with. The expectation would be that if the assurance team comes up with a stop, it will be evidenced, and that, under most circumstances, the programme team will recognise why there is a major issue and what it is that it should do before it restarts the programme. We have recognised that there may be circumstances for a variety of reasons, payment deadlines, all sorts of things, that the programme team does not agree with the assessment from the independent review team, and that, despite the fact that we have recommended that they stop, they need to continue. That is the only circumstance where it would be escalated. That's not what it says here. Where a stop go assessment is made, an accountable officer could only proceed following a transparent process requiring the lead minister to read this arrangement with the cabinet secretary of finance and constitution. In which case, I apologise for the language. It's where a stop go assessment has decided that there should be a stop, and we'll clarify that. I've taken a lesson from today's discussions already that we need to look at the internal marketing, if you like, of the process of assurance to make sure that everybody is clear about what it constitutes and how it operates, and if there's any obfuscation around that. I apologise if we've created a difficult way of understanding it in this particular letter. We'll make sure that, as we communicate across the Scottish Government, it is done in a very straightforward way, that everybody, be they IT experts or non-IT experts, can understand the implications for themselves. If it's easier to put it into basic language, for example, as programme director of social security, if I got a red stop, it would be really unusual for a programme director to insist that that carried on going without taking the actions that came out of those recommendations. You'd really be looking at why have I got a stop, what am I going to do, what are the actions I need to do to mitigate that. It would be really unusual to go forward at risk, you know what I mean, because really it would be at risk because you've got to stop gates, so why would you therefore then be trying to convince the minister that that's the right thing to do. You'd be looking at what actions you need to take to get you back on track, do those actions, make sure you've got the action plan in place, and then proceed. I'm sure there is no doubt about this, but the reason that the Cabinet Secretary for Finance and Constitution is cited in this process is, from a digital point of view, he is the minister to whom we report on issues around digital public services. So this would be a scenario in which the civil servants working for the Cabinet Secretary for Finance and Constitution have made a recommendation to stop a project in an area where a colleague of the minister is responsible for the delivery of the programme, and we think it's right and proper that both ministers are involved in agreeing a way forward in that scenario. Okay, just let me pick out another bit. On an ex-B item one second bullet point, this is a question of recruitment for talent to lead the largest programmes, for example social security, increased support for the accountable officer in SRO and so on. What's the success rate in that recruitment being? Recruitment is always and continues to be very challenging. I feel very awkward about giving you a view on the success rate of recruitment to high-profile digital jobs within social security, because it's sitting next to me, and we managed to find a candidate of suitable qualifications to do that. It was significant that it's mentioned, but there's no quantification of success. We are finding it difficult to attract the talent that we need in senior levels within IT programmes. To be honest, it's a problem across quite a lot of the country and in different sectors of the economy, not only the public sector, because there's a shortage of high-quality IT people. What is the percentage gap? For example, if you need 10 people to do a particular job when you've only got five or six? It's not really possible to quantify it in that way. What we're talking in specific here is at the top level. No, maybe we can do that for social security. Andy, you're probably the best place to answer that. We're currently in the process of recruiting a number of IT personnel, so our current headline number is at the moment. We're heading to a recruitment level of 68 people. We have 15 people in post. We had a further 10 showed up to come on the stream by the end of December. It's not easy to recruit talent as Colin has referenced already, but we're taking a multi-channel approach in terms of where we're looking to market. That's a mixture of looking within the civil service, across government departments and, indeed, the private sector, through external adverse, and in necessarily some interim replacements and interim resource contracts to fill those gaps. The skills that are needed are in huge demand not just in Scotland but across the UK. If it's on salary alone, we will always struggle to compete with the private sector, because in numerical terms, there is often a wide disparity. Early indication so far is that, whilst our results haven't been as great as what we would have expected, we're no different from anybody else, but we are seeing the programme as being an attractive opportunity for a number of IT professors who want to come and join a programme that's got a four-year plus life expectancy. That in itself is an attraction to staff and we're seeing a good response rate. Often, a response rate doesn't transfer into permanent persons and people who actually make it to the process because they don't actually have the attributes or don't display the attributes at the final stage of an interview, but at the moment, we're using a combined approach to resource what we need. We all use the supplier market as we go through our procurement process. They will bring supplier expertise to the table. We also have to be mindful of the legacy so that if we overstaff this programme in permanent people, when we get over the hump of the programme, we will have a surplus of staff potentially, so we have to be mindful of the legacy that we will leave in years to come. We're striking the balance by making sure that we get the right people in post along the journey at the right points in the programme as what the technology starts to develop. Just one last point. We've highlighted the difficulties of recruiting specific talent into the IT side. Annex C, last paragraph on the first page, you say, in total, 58 assessors have been recruited and trained to carry out assessments. Well, it doesn't seem to be any problem in getting assessors. Does that mean that it's actually 58 extra bodies and who trained them? That's a reference to the way in which we carry out digital first assessments and that is done by peers, that is done by a group of IT and other experts within the Scottish Government. We train them in the process of assessment and draw upon their expertise in a particular field as part of that assessment. That's all 58 cases. So there's no additional cost, if you like, other than the notional cost? Other than the notional cost, yes. Obviously, the opportunity cost of— The training cost, that was the only other problem. Who does the training? We've got colleagues from the Government Digital Service down south who have been running a very similar process for some time to come up and train our assessors. Was there a cost to that? Actually, no, because they were very good and they did it for free. Oh, I like that. Yes, or did I? Thank you. Okay, James Kelly had us up from entry. Okay, do you want to follow up on one of Colin Reidy's earlier points about the assurance process and the reports that were carried out once you did that, an assurance task? He said that he went to the programme director and he flagged up any issues. How is that formatted in the sense of how does it identify what the issues are, who is responsible for addressing the issue and what is the timescale for getting the issue resolved? What our report does is identify the issue. It doesn't say who in the team is responsible for actioning it. That's why it goes to the senior responsible owner of the programme director. The next step is what we ask for back is an action plan to address all those issues. The action plan is the responsibility normally of the programme director to pull together and would identify the issues that are being tasked with delivering them and would give us a timescale for when the delivery would be completed. Our report does say whether things are immediate, whether they are critical, that they have to be done before the programme progresses, but the actual programme director would give us a very detailed response. We then follow up on that to ensure that the actions have actually been carried out. Thank you, convener. Just a matter arising that was interesting in Colin Beattie's question on the recruitment. The Scottish Government has noted throughout its document that there are difficulties recruiting and retraining, and this committee has certainly investigated that in quite some depths before. Are you able to give us any idea as to the reason for why it's so difficult to recruit and retain? Is this to do with pay scales, a competition from the private sector, such that you can't buy talent? Is it because the talent pool is too small at present? What's going on? The easy answer is to say all idea above. Just before I answer the question, I think it's worth noting that in terms of retention, we actually outperform the market, and I think that's very much a function of some of that enthusiasm that Andy was describing for the type of work that we're doing. From a digital point of view, the ability to work on a programme and a project that has a direct effect on people's lives is a very attractive proposition for people in a competitive market, because it's a real feather in the cap to have worked on something that is of national importance. Retention, I think we do outperform the market. In terms of recruitment difficulties, we don't pay at the same level either in basic salary or in bonuses than some of the large financial institutions in this area, so we are at a slight competitive disadvantage there. There is a limited pool of certain skills within the Scottish and indeed UK market. A majority of businesses, particularly digital businesses, will report similar difficulties in recruiting the talent that they have. There are things that we need to do in order to improve the process of recruitment, and we're working very hard with our HR colleagues about making it a slicker and faster process of recruitment on board people, because if you're in a competitive market, you need to be as quick as you possibly can. Make all the robust checks, of course, but be as smooth as you possibly can within the recruitment process and make that pitch, that excitement, that opportunity to work here in a clear and coherent way. Sorry, there are improvements that we can make in the process, but it's a combination of things. That begs a question. I'll throw this out as a hypothetical. In terms of the pay, could there be an argument structured that there's a false economy going on here if you are unable to pay for the best talent? That has a causal effect down the line on the output that there's a false economy. The other question is about the development of talent. I noticed that there are references to the digital academy, which presumably has a time period before it comes online and before it starts producing. Underneath that, what is being done to develop talent at the earlier levels, primary schools, secondary schools and colleges? There's a huge question there, and I'll try and deal with it in all its component parts. Please forgive me if I miss one. You're absolutely right that it is absolutely essential for the success of major IT projects that we have the right people with the right skills. That clearly comes through Audit Scotland, and it's something we take very, very seriously. If we can't attract people on a permanent basis onto civil service terms and conditions to run that, there are other ways in which we do that. We go to the market for contractors. We are developing for social security, for example, a benching arrangement with contractors in the private sector, so we can draw on talent. We're looking at opportunities around succumbents from major organisations to increase the pool of talent that we can bring to bear on major projects. That's that approach. In terms of our approach to training, yes, the Digital Skills Academy is up and running. It's going to be extended and expanded. It's providing really good training on things like working in an agile environment about agile project management. We've had great support in doing that from the Cabinet Office down south and others, and we'll continue to build that, and we've got our own trainers coming on board so that we can expand that function, and that's really vital. We also have a commitment to bringing in new talent into the organisation at modern apprentice level and at entry level, and we will train people in the right ways of developing IT projects. The bigger issue is one that's also very much at the heart of the digital strategy. We have an industry across Scotland, indeed across the UK and beyond, where we don't have the talent. We have a number of vacancies, where there are many thousands of vacancies in tech industries, and it's forecast to increase, and yes, we need to address that right from the beginning throughout the education system, and the Cabinet Secretary is very focused on that, the way in which IT is taught in schools, the choices that people, particularly young women, make early in their school careers, that then put them into a channel where an IT career doesn't appear to be the most obvious route for them. All these things need to be addressed, and they are being addressed within the context of the digital strategy. If it helps, what we're trying to do on social security as well is looking at how to be a bit more innovative. For example, we've just announced that the corporate centre will be in Dundee, and Dundee is one of the biggest universities that has exceptional digital and technology people coming out of it, so we're trying to work with them to see whether there's any of those people coming through those courses or interns and things like that that we can actually bring into the social security programme. The new provider that's coming on board to help us with the low-income benefits and their corporate contribution is to actually go back into the schools and talk to the schools about IT jobs, technical jobs, and how to get all the people into that, and they've got a commitment to sponsor. I can't remember off the top of my head, but some modern apprentices into the technology jobs to support the work as well, so we're trying where possible to be a little bit more innovative as well. Because presumably one of the difficulties coming from the northeast and looking at what the oil industry has had to cope with, presumably if you have a durse of talent there's a danger that you bring on talent, you bring it in, and then talent is poached. So how are you addressing that? One of the things we've in terms of social security again, we're quite big on our risks as well, so we've just had a deep dive on that particular risk around retaining people and keeping people, so we're in close liaison with our HR colleagues to say what can we do to retain people, and actually a lot of the discussions also focused on actually when we're bringing people in, what are we talking to them about their own development and how we might be able to encourage them into the civil service so that we can have some own grown people that are people of the future, our talent of the future, so we're having sort of those discussions as well to try and bring more people in and encourage more people to come forward. I do think it's worth saying however that in one sense we're not scared of that. I said our retention rates are very good by industry standards, but actually if we want the best talent and we want people to recognise that a role in digital government is a good thing for their career, we really shouldn't be scared that they might want to take those skills and go elsewhere. I think I would love to see people circulating around all industries in Scotland and contributing to government at a point in their careers, and I'd be very happy with that, particularly on some of the more technical functions, technical architects and cyber expertise, to have that kind of talent pool would be a good thing. Before I bring in Willie Coffey, can I just ask Mr Cook whether you would provide the committee with the number of vacancies that you currently have in IT, in the same way that Mr McClintock helpfully did for social security? You must be able to source a number for us. That would be particularly helpful. I tease out one thing about the role of ministers, because the Audit Scotland report was quite clear that some of the problems that had arisen in the past were down to legislative deadlines, and ministers have control over legislative deadlines in a way that you don't. If there was a stop notice and you reported that to the minister of the cabinet secretary, they, of course, can overrule you in light of legislation, is that the case? Would we be able to see that, that there would be a transparent process in decision making that we could follow? The commitment of the auditing process is that it will be transparent, but it is those kinds of circumstances where we think it's right and proper for the ministers to discuss and make an agreement. I would like to come back and explore a bit more in-depth on methodologies and standards and so on. First of all, to pick up a point that was made earlier about whether we are talking about IT per se here or the wider aspect of social security, you must be aware that the estimated cost for the IT component of the social security transfer power is £190 million, which is more than half of the entire transformational cost of those powers to the Scottish Parliament. You have to forgive the committee members for focusing in and winning in on the IT aspects given where we have come from, so it's important to make that point. Can I start off by asking you a wee bit more about the digital first service standard? Where did it come from? When did it arise? When is it in place now? And why was something like that perhaps not in place before? I don't know why it wasn't in place before. We introduced the digital first standards originally about a year ago. It's just coming to a year's work. It is built upon and reflects best practice from UK Government's Government digital services. It has a very similar feel, it's very closely affected by those standards and I think that's acknowledged across the world actually as a robust, good practice standard for digital programs in government and you see those standards taken up and adjusted in countries such as Canada and Australia who are also embarking on major programmes of digitisation, so it's been imposed for a year. It looks, as I said, about the way in which you organise a project, the way in which you ensure that the users at the heart of the project, some of the controls that you have. We have been implementing it for nearly a year. We're now reviewing it. We're taking all the lessons learned about its first year of applications and then we're going to learn those, reboot that and really expand and extend the way in which we implement the digital first standard going forward. I think that this is the right time to assess that we've got it right and it is working in a Scottish context. It may be that things like we might simplify it somewhat or reduce the number of the standards where we think there's duplication. It's those kind of things that we're looking at in terms of the review. You described yourself as a peer group review involving a whole range of people with different specialisms, is it? It's an overarching overview. It's not a quality standard that's externally recognised and certified, is it? It's not that. What would it have in place that will control the project lifecycle of a particular piece of software that you might be commissioning? I'll come to the social security system in a wee minute. What would be controlling that and assuring the quality of that development? I'm not sure I totally understand the question. The digital first standards will ensure that the programme, an IT project and within that a software development is developed in an appropriate way, is tested in an appropriate way, is based upon the needs of its users in an appropriate way, that it is run and developed in an appropriate way so it goes through an appropriate, there is a clear discovery process, there is an alpha stage where we test the technology that we have a private or a public beta and it will also ensure that we set up projects so that they can be continuously improved once they're in a live condition. I don't know if Anne wants to add to that or whether you're... It's not an externally accredited scheme. It does, as Colin said, build on the experiences of the UK Government and is very detailed on 22 specific criteria. The digital first standard is designed not just to ensure that you're doing the project right but you're kind of doing the right project. There's quite a lot of qualitative as well as quantitative measurement in there and it does things in some areas where it refers to external standards. For example, on accessibility it refers to the external standard for W3C accessibility, disability standards. At key points it will point out to external standards that can be externally validated if necessary but in general it's good practice within government and it builds on what has happened down in government digital service. I was hoping that you wouldn't say that, because I don't want to make any political points on that, but the UK Government itself doesn't have a particularly impressive record in delivering IT projects and this is no political point, it's about IT and it's about expertise, so for using a standard that is a new sales way that doesn't have a great track record, I would be a wee bit concerned. Why haven't you considered embracing recognised industry quality management standards for IT projects? Why haven't we done that? We have individual projects to some extent, so I SO accreditation for some things, what we haven't done is we haven't gone out and identified critical key external accreditation that would apply across all projects. We have made it rather a framework. Why not, if you don't mind me asking now, why not? These are recognised industry models that give assurance, protect us from cost overruns, protect us from software that doesn't work. This is what these models are about, so why aren't we deploying them here at the core and at the heart of what we do? At the risk of being slightly controversial, I have yet to see a standard that guarantees against cost overruns. If I could find one, I would apply it tomorrow. I certainly don't want to make a political point. It's written into my job description that I don't, but I do think that the digital standards that were developed by Government Digital Service are now, as I said, recognised internationally as good practice in the development of digital solutions for government. They allow you, as Anne said, where you need to go in more detail on a particular technical point and make sure that it meets a particular standard where you think that is appropriate, we will bring the expertise to bear to do that. That's what a lot of the major projects will do and a number of the reviews that Anne is responsible for, bringing external expertise who evaluate against industry standards. That option does exist and we will be using it effectively and appropriately. We may be here next year at this time and we may be looking at the implementation of the first module in the social security system, which I think has been estimated at £8.3 million to develop. Where is the assurance process at the heart of that? Is it basically in the hands of the external contractor that has been appointed or is it your team that will provide that assurance? The social security first stage or first module, as you described, that will be classified as a major project. It is going to be over £5 million. It is also incredibly important to the reputation of Government for a number of reasons. It will be subject to the major projects assurance process we have attempted to describe and to the digital first standards within that. We will be able to put that report and analysis in front of the committee and discuss it in a year's time if that's what you choose to do. Anne is chomping at the bit to come in here, but as well as obviously the digital first standards, which are great principles to work towards, getting down to the bottom line is we have a technical design authority that will be responsible for looking across the piece in terms of the technology and what we're putting in place to support the technology for social security. On that board, we're just considering bringing some non-executives into that board to give us a bit of external scrutiny, as well as a scrutiny that we get from the centre. I've engaged some contracts to give me some external scrutiny as well, so a bit of challenge in terms of what we're doing and how we're doing it. I'll bring Andy in in a minute because Andy has brought some key personnel into his area that have got some specific skills around cyber data and things like that that I'm sure work to the standards that you're describing, those industry standards. I think it's helpful if I set out the fact that we are a growing team, a growing capability, this £8.3 million contract that you referred to will be the first delivered next year. To get to that point, it's been a robust and open and fair procurement process, which has taken us a long time, it's had to stop, go, go along a way, it's had significant input from digital colleagues as part of specification. I think more importantly, it's had vital input from procurement. Procurement has a valuable part to play in the whole journey from conception requirements through to award of the contract and actual contract management. As Lisa said, I've brought in some expertise from elsewhere in the UK public sector that has an understanding of programmes of this scale previously, including those in the welfare and benefits area. We already have architecture expertise that has seen some of the unfortunate decisions in the event of the past. We've seen where mistakes were made previously and they help to enhance the architect solution and design that is both modular and adaptable for the future. If I'm sitting back in front of you next year, I hope to have a story to show you what the outputs of that effort and that planning has been along the way. This is more than just talk. A lot of the effort and the foundation that's been done over the past seven or eight months since I've been in post is about getting the right capabilities in and not rushing into an award of a piece of work. This £8.3m contract is a small part of a longer-term investment. I'm very clear that our long-term vision is not for a single supplier to have total control of this programme or the total solution. I see a multi-vendor, a multi-solution approach that is both adaptable for the benefits of today and what may come for tomorrow but also is able to interchange over the lifetime of the programme and beyond my existence. Ultimately, I could actually be one of the consumers of this benefits platform in the future, God forbid, so I want to make sure that wherever I'm instrumental in designing and delivering, I'm a consumer of two, so I have a vested interest from a number of perspectives. It's been very summer 2019. It's not going to be that long. I feel old already. But come back to the point, if you don't mind me saying that we have been here before, previous committees have been here before. We see a figure that says £8.3m. How robust is that at this stage? Have you got a complete and a full system requirement in place? Has it been signed off, approved by Government ministers, by the user involvement in specifying this? Is that robust or is that going to change as we go? Are you going to come back to Andy next year and say, well, the specification changed the wee bit again there and we had to adapt this and change that and now it's £16 million? First and foremost, the contract is capped and maximum values. It can't be exceeded, so that's the first and foremost. The specification has been taken a long time to get to where it has. It's had multiple inputs from multiple parts of Government, including users' involvement in the early stages of some of the specification for user design. It's had digital input, it's had OCI input, it's had programme input, it's had policy input and it's had procurement input. The specification that went to market, in my view, is as robust as it could be. The response to market was healthy. We got down to a short list of supplies and we finished up with the supply that's been awarded as a piece of business. I'm confident, as I can be sitting here today, that they have the product, they have the capability, along with our capability, to deliver that solution by next year. The delivery approach won't be the fact that they will come in and deliver it and then hold us hostage to fortune. We are looking for a delivery model where they step back the delivery, so the first stage they deliver themselves, the second stage that we deliver with them and then the third stage we deliver with them standing behind. It's a very stepped model that at least and I have been away and evidenced elsewhere that the supply has managed to do that previously. That and the combination of robust commercial skills on the ground, I have a high degree of confidence. That sounds pretty good. The external contractor that is doing it, there is no in-house software development going on from the Scottish Government, it's completely external, is it? In the whole context of what Colin and Lisa have touched on, this is an agile programme, so what we do will be done in incremental pieces of work. It's by the Scottish Government, IT team or is it the external contractor entirely? It's a combined approach, combined delivery model. To be clear, we are not developing software, we are taking a off-the-shelf product and we are adapting it, there will be some customisations of that solution and there are some licences in that contract, but this is not the concept of developing software from scratch. Because there is a combination of elements in that contract over the two-year life cycle, which is a mixture of services, product, licences and hosting costs in terms of where the app to platform is going to reside. It seems quite a high cost for something that's being adapted. Not really, if I was able to sit here and show you the elements and break down the contract, you'd understand what was £80.3 million and I think if you looked at it, if you had a look at it, if you looked at what was actually in the actual overall contract, you would look at it as a good value proposition for the public sector. Just back to the point about methodologies. The external contractor, for their point of view, they will apply their own system of controls and checks and quality management. They will be applying whatever their standards are for their element that they are developing and testing. You won't be applying your digital first standard, but they will be applying theirs. We are very clear, and it was part of the procurement specification that went out, that the bids that came back had to endorse and subscribe to those digital standards. So the bids that we marked back, on each of those 22 principles and standards, there was a compliance statement in terms of where they felt that they were ever compliant in full or in part. That was a basis of the overall evaluation and criteria. The quality management they apply once they are on site will be a blend of their own quality standards and our own approach. That's what this word, a joint delivery team, interspersed with an agile approach where we're breaking this piece, this delivery, into small bite-sized chunks. You've mentioned the £190 million figure already this morning. This represents a proportion of a potential £190 million spend. This is not the whole story. This is an increment or investment in the benefits platform for reuse in the future, but not just for the benefit today, but hopefully for the benefit for the future. Confidence from the fact that on social security and other projects, we're already demonstrating how having those blended teams, how having expertise within the government and from a supplier, working to the way in which government wants to see digital projects developed, as defined by the digital first standards, is changing practice and delivering results. I think the discovery that was undertaken to lead to the contract and is described is a good example of that, where work was taken place internally and externally. I think we have a good result in terms of a specification to go forward with. £8.3 million. Before we get to the point of spending some, any or all, the £8.3 million over the two-year period, all of the pieces of work that we've broken down in agile terms into sprints. Each of those sprints is a chunk of work that is very clearly specified by a very clear outcome and a very clear payment at the end of it. It's not a case of awarding £8.3 million and just paying the check. At £8.3 million, we'll be broken down into multiple bite-sized chunks and they'll deliver us along that way. If anybody around the table thinks I'm going to sit here and write a check and pay £8.3 million for nothing, it's not going to happen on my watch. I know a wee bit about agile and the methodology and the kind of iterative bite-sized chunk thing that you're describing, Andy, but some of the criticisms of agile lack evidence and records, for example, testing records, for example. Some of the criticisms about it, so could you address some of that? The first thing I was going to address is if you think we're not putting structures and governance around agile, you're wrong. From a programme director's point of view, we will still have all those project artefacts that you would normally expect, so you'd expect to robust plan a business case. All those pieces of the jigsaw absolutely have to be there, so they'll be measured against that plan so there's no slippage against timescales. It's a myth that, in an agile environment or in an agile world, you don't have a plan for delivery. You absolutely do. The software when it is being tested, the criticism I've heard of agile, is that it lacks an evidence base and a record base to provide any evidence for external audit, for example, from step to step, to make sure that the software is working. So the plan for this particular piece of work is that, for example, around security and testing, in each and every stage of every piece of the software that's introduced or is adapted, security and cyber resilience and prevention of fraud and etc, etc, is embedded into each of those stages, so we're building security in by design. Testing will be done at a unit level, so each piece of work and each piece of sprint work will have an element of testing in it, whether it's development testing, unit testing, life testing, so testing will be incremental work, it won't be left until the end when the £8.3 million is payable or the last bit of the £8.3 million is payable, before we realise we have a system that other doesn't work into when. Things are done, the work is broken down into packages and faces and sprints, but the actual incremental use of that software and the test that software is done in the same approach to. From my part, I understand that the use of different project management methodologies is a controversial area. What we ensure, and we reflect this in our standards, is that agile methodologies are used where they're appropriate, and that's particularly in areas that are new developments, but please take my assurance that the way in which we will apply agile methodologies is disciplined. It will relate to an overall framework of governance, so there will be a good oversight on how projects are developed. The fact that it allows for frequent inspection and adaption of a product and regular releases of software allows us to have that confidence, so we think that it's the right methodology for this particular programme. Final point. One of the previous serious criticisms of software development projects was the lack of documentation by code writers from step to step, and that was particularly a problem when personnel would change and move on. It was incredibly difficult to fix, repair and maintain software for which there was very little documentation. If we are given the assurance that there will be substantial documentation and test records available throughout the phase of the project, I'd take some great comfort in hearing that from you. I'll reflect on what I said earlier. This is a product that a large part of this 8.3 minutes based on a product that already exists, which is well documented. Anything that we do to adapt, modify or integrate it with other systems will be documented by us, with us and with the supplier. It's not a case of having to document every single screen and code from the outset, because we're not actually building a system from scratch. One of the key attributes in considering this bit from the supplier was about the element of reuse, so we actually lowered the risk to the programme, enhanced our chances of success of delivery, but also build on the back of a product that has global use. Just briefly, I was quite interested in something that Willie Coffey was leading on, that the 8.3 million is an off-the-shelf package. The shelf solution. Mr Coffey mentioned that that seems quite a lot of money. It does seem quite a lot of money, to me as well. Can you compare, if it's an off-the-shelf solution, or based on off-the-shelf solution, it must have been used before by someone else? So what did they pay for it? I can't share because I don't have the information of what other cusses might have paid for the software, a component of our contract. What I can tell you is that I'm satisfied in terms of the public value and the public purse. At the end point that we reached in commercial terms was the best possible solution because of outcome for the Scottish public sector. How certain can you be that you've cut a good deal if you've no idea what the cost of the deal was to other users? Most suppliers, including the supply of most suppliers, will enter into commercial confidential agreements with all of their customers. It will be very hard for that confidentiality to be broken. However, it's fair to say that, with enough market gathering and intelligence and enough discussion amongst the supply community, you can get a feel for what the investment cost of software is and where that lands. I'm convinced that sitting around this table today and colleagues to my left will attest to my scrutiny and my commercial acumen in terms of commercial values. I'm satisfied that the price that we've landed up on that contract is the best possible price that we could have secured in the current climate for our requirements and what we needed to deliver that software. How satisfied are you? You talk about the bite-size process, so you're not just writing a cheque up front. One of the issues that we've looked at before on the I6 project was that there was ambiguity in the contracts, no one knew what was being delivered and who was responsible for the delivery and then how robust the indemnities were to ensure that, if there were cost overruns, that that wouldn't fall on the public purse. How confident are you that in your bite-size process the contractual documentation is sufficiently robust and indeed the indemnities are sufficiently robust that if there's a problem it doesn't fall on the public purse? First of all, as I've said already, the contract is capped at a maximum value so it can't be exceeded. The contract has been awarded with a maximum contract spend so it cannot be exceeded. There is a tolerance in there but there's an overall capped value in the contract. In terms of the indemnities that sit behind that, I'm not a procurement specialist but my procurement colleagues who've been with us every step of the way. We have assigned specialist procurement people now embedded in our programme, work alongside us. Every step we take is done with procurement with us hand in hand and I'm satisfied that the indemnities around public procurements and the framework we've used for that indemnifies us from that. We take it down a level into those bite-size chunks. Each piece of work will be driven by what kind of statement of work. That's a statement of work generated by us, agree with the supplier in terms of what we're going to get in the sprint over six weeks or six weeks or eight week period, what those deliverers are going to be and the majority of those I'd expect them to be fixed price but irrespective of whether they are fixed price available the maximum value of that supply that I can get from that contract is capped and within that the software cap, the costs of the actual software licenses are fixed and they are locked. James Kelly In terms of £8.3 million, what happens about the IT hardware? Is that separate from that £8.3 million? No, so the platform, the platform that is the solution we're running is going to be cloud-based again in accordance with the digital principles, digital standards, so the costs of actually running the platform is within the £8.3 million, so the actual virtual hardware that the software run on is all within that as are the annual hosting costs for the two years of the contract. So you're confident that the hardware can be encompassed within the £8.3 million? So the specification says part of the bid, the supplier has bid a configuration for the platform to their specifications based on our users, our anticipated volumes, a number of benefits, a number of payments that has to be handled and transacted, that's all architected in the overall solution. So there's a hosting element of that £8.3 million which accounts for all that in the cost too. Okay, in terms of the overall cost and the financial memorandum of £190 million, is there any detail as to how that's been built up? Do you want me to answer that? So colleagues who have been before the finance committee before have already touched on how the £190 million has been arrived at, so I'm not going to go over that in forensic detail. What I can say is that within the £190 million the maximum level of optimism bias in accordance with Treasury Green Book Standards has been applied. So we are on a journey for a to deliver a range of technology solutions to support the program and ultimately agency, and when those figures were put together they were based on what is believed is going to be required to get the various technology solutions to be put in place. This is an incredibly complex and challenging journey going on and nobody's saying that that is a spot on accurate figure, I think the figure that's been used in there is based, it's based over four years, and that's how that figure has arrived at, but it has got significant optimism bias built into it and perhaps other programmes in the past where optimism bias was at a much lower level. I've examined the various responses that have gone to the social security committee on this and also the finance committee and I've yet to see any explanation as to how the £190 million has been built up. Does anybody have that information and would be able to provide it to the committee? I can't sit here today and give you a fact by fact line by line but I'll take an action away to make sure that your furnished with more or the committee's furnished with more details that perhaps puts more greater clarity on how the £190 million was calculated. I think finance colleagues before me have attempted to answer some of those questions I thought they'd done so satisfactorily but clearly not. Well just to be clear I'm not looking for a narrative or a description as to how the £190 million has arrived at, I'm actually looking for a table as to how those costs have been built up and what the different component parts are, therefore how the overall figure has been arrived at, because it is in the financial memorandum of a piece of legislation before this Parliament so it's quite important that we're able to back that figure up. Okay. That's great, grateful for you writing to the committee on that point. Bill Bowman. Thank you. I don't think we've spoken about future proofing. You said that you'd take a standard product and then you've amended it in some way. If the manufacturer comes along with an upgrade, a fix, a patch, an update, how easy or how future proofed are you when you've then got to start presumably adjusting that to whatever you did in the first place to the product? Okay. So our approach will be to take the product in its most vanilla standard form and adapt it as appropriate to the social security powers for Scotland in doing so and when the supplier, we won't take the product into a space where it can't receive routine upgrades and patches without reverse engineering. So our approach will be to make sure that the product is used as much as possible out of the box with adaptations configurations, but the supplier is on the journey with us and we will rely on him to make sure that we do not take the product into a space where it can't be upgraded in the future. Okay. I wonder whether I might draw your attention to paragraph 21 of your submission and just ask a couple of just kind of questions of detail. You say data innovation could potentially benefit Scotland by 20 billion. There's a wee asterisk there. I can't find the corresponding asterisk to tell me how you've arrived at this figure and if I can't find it maybe you can't either. So perhaps we should agree you should stop looking. Maybe you can forgive me and I can write to the committee about the, I mean that is an externally generated figure and is widely used in many contexts including the city deals and others. So it is a very well-trailed, but I apologise for the lack of a footnote. We read exactly what you sent to us. So if you could write to us with the source and explanation that would be particularly helpful. You then in the same paragraph go on to talk about Scotland has a world leading set of public data and then later on you say that this will deliver one billion in public sector efficiencies. Now if I was the cabinet secretary for finance I would be jumping all over this figure given his current budget problems. It's not a figure I recognise. How is this built up? Where do you get this from? If I could just be a little sharp about this, so far we have had hundreds of millions of pounds of failure in IT projects. You mentioned through yourself NHS 24, cap futures, Police Scotland, hundreds of millions of pounds. So I find it really difficult to accept your figure that somehow this is going to create a billion pounds of efficiencies because with respect that's not this committee's experience to date. I take the point. I will go back and reference that figure. It's a global understanding of how one can use data within the sphere of the public sector and the delivery of public services. It would include things like the use of predictive analytics in order to predict when particular health and social care circumstances might arise, that kind of thing. So it is very much a potential figure that's been built up by I believe independent experts but I will come back to you on the source of that figure. Not a figure Derek Mackay can say this is going to happen in his budget. It is not a figure that Derek Mackay will commit to. I suspect over the next lifetime of three years but he is definitely engaged with the process of how we use data in order to deliver efficiencies in the public sector. Good. I just don't like over claims. Paragraph 21 might need some adjusting. Anyway, can I ask any of you qualified IT professionals? I'm just curious because you behave as if you are, Ms McClintock. I'm not sure what you read into that. I'm not. I'm curious because it's a very technical area and I confess as a lay person. It's very difficult to understand so that must be the case for our non-IT professionals as well. It's a very technical area but it's also an area that requires a thorough understanding of user needs. It's an area that really expects you to understand how business processes work and an area that you have to bring commercial skills to bear. I think in front of you you have a combination of all of those things and right throughout my team you have a combination of user research, service design, commercial skills and technical skills where it's appropriate and we've done that quite deliberately. Your argument is that by restructuring that's taken care of the kind of lack of capacity in the past. By restructuring we've been able to identify where we have gaps and we're now filling those gaps with the people that we need and some of those people will be from within the organisation, some of those people will be from outside the organisation. From a social security programme director's perspective that's why I've got a very good chief digital officer. Indeed. I've been in Scottish Government for just over 10 years but before that I spent time in public sector in health in England and I've spent five years in the commercial sector working for software companies so I have a good understanding of the mechanics, the software revenue, the software delivery and all the things that go into software delivery so I bring a mixture of private and public sector skills to the table and that's why I've been selected for this easy job, as they tell me. Excellent and don't go anywhere very soon. Thank you. Can I just stick with the kind of expertise and people? You've got a group of senior academics providing challenge advice, all of that. What's their role? That's a group that we've set up to challenge our approach to the digitisation of government specifically what we call the development of digital business models for government so it's people like Mark Thompson from the Judge Business School in Cambridge and Alan Brown from Surrey and their role is to really to challenge us to make sure that they look internationally to identify best practice and to challenge that we are following that practice and they've done that very successfully. I think we say in the letter that we had a short research project done by some of their MBA students recently which has really helped just to position how Scotland is getting on in an international context and has provided a few important pointers for us and this is very much about setting government up and building new parts of government on the basis of digital business models the way in which you would set up a business in 2017 not a way in which you would have created a department in 1945 or whenever that would have been the case and I think having that expertise is indeed helpful but do any of these academics insofar as you're aware work in the private sector or have consultancies at the same time as they're advising you? Yes, I am aware of at least one that has a consultant or has a role in a consultancy but we make sure that there is no conflict of interest in the way in which we are using that individual. Okay, let me press you a bit further because obviously if they're sitting around the table with government at the same time they hold consultancies and are bidding for contracts whether it's social security or indeed whether they were involved as I understand one of them has been with Accenture which was of course the failed IT project for Police Scotland. How do you ensure that there is no conflict of interest given their involvement to date with Scottish Government IT projects and the potential involvement in the future? I'm not aware of one I mean there may well be and I apologise I'm not aware of a direct involvement with Accenture as a company that wasn't the one I was citing. What they are employed to do is to look at international best practice and to challenge us about the way in which we are thinking about the overall formulation of our approach to the development of digital business models. They are not employed to advise upon specific programmes of activity and they are certainly not advised to advise upon a procurement specification for any piece of activity that is not their remit. They are looking internationally identifying best practice and challenging us about whether we're meeting those kinds of standards. They're not dealing with specific projects. How do you check I'm assuming you do check the backgrounds of people to ascertain if there's a conflict of interest? Have you done it for them all particularly as I now understand from you that these positions are paid? We always look out for conflict of interest. We would recuse anyone from any issue that would lead to a contractual award that is not the case. I am familiar with that. I apologize I'm not sure which Accenture case is. We do look into the backgrounds of people because we want to ensure that we have the best quality advisers. The two names that I cited I would think under most external scrutiny would appear as the two of the top experts on the digitisation of government in the UK. We respect and take their advice. Sorry, I've got a list of some seven or eight names here that I was looking at. I just think that the issue is where you're talking about multimillion pound contracts in the public sector that some of these academics may well hold posts in the private sector and you would need to guard against influence. I'm looking for you to confirm that you have checked the backgrounds of all of these people as a matter of routine. I can confirm that they will have no impact upon any of them. That's not my question. That wasn't my question. I know we have looked into the biographies of those people because they've been proposed as experts and we've examined their credentials for being experts. I will make sure and I will come back to you that we have all the necessary documentation in place. If we haven't got it already we will make sure we do to give you that satisfaction. Please accept my assurance that they are not dealing at any level with anything that results in a direct contractual award and neither would it be appropriate to do so. I think that that is very helpful reassurance indeed and I would welcome that in writing. The procurement has just completed any 8.3 million pound contract. None of Colin's specialists or advisers had any part to play in any part of the journey. Okay, that's very helpful to know too. Thank you very much. Any remaining questions from committee members? No, I think that you've exhausted us all this morning. Can I thank you very much for your evidence and the committee will now move into private session. Thank you.