Left column


Latest posts

    Cyber security: has the pandemic changed anything?

  • Posted on January 14, 2022 by

    The start of a new year brings the opportunity to look back and reflect on the challenges we faced in dealing with COVID-19 during the last year. One of the many impacts of the pandemic we did not foresee was moving many aspects of our social and economic life online to try and keep them going through lockdowns. This came with considerable advantages, keeping many businesses, social networks and relationships going. But it also came with a significant downside, as we all became more vulnerable to the risks associated with operating online. In addition to the major attacks like WannaCry and SolarWinds, which have affected organisations in the UK and overseas, it is now increasingly likely that each of us has either personally suffered from some kind of online crime or know someone else who has.

    In its latest Annual Report, government’s National Cyber Security Centre (NCSC) is clear about the nature of the risks we have faced during the pandemic, noting the startling finding that “From household goods to vaccine appointments, there have been few avenues criminals have not tried to exploit”. And the move to living more of our lives online has resulted in some shifts in criminal activity.

    The major trend identified by the NCSC is the growth in criminal groups using ransomware to extort organisations of all kinds. The NCSC describes ransomware as the most immediate cyber security threat to UK businesses: this obviously makes it a threat to the resilience and performance of the economy. But it is also a risk to both central and local government and the wide range of services which they support. So, whether we are taxpayers or service users, we should be concerned at this increased use of ransomware being added to the existing list of cyber threats.

    Unfortunately, the other threats on that list haven’t gone away. The March 2021 Microsoft Exchange Servers incident, in which a sophisticated attacker used zero-day vulnerabilities to compromise at least 30,000 separate organisations, highlighted the dangers posed by supply chain attacks. And there are plenty of examples in the news of other incidents, both malicious and accidental, which have put data, operations and organisational resilience at risk in both private and public sectors.

    In its new National Cyber Strategy, government has set out some of the things it wants to do to make the UK more resilient to cyber-attack. Like its predecessors, the Strategy is painted on a broad canvas, setting out high-level objectives: it says that the UK should strengthen its grasp of technologies that are critical to cyber security and that it should limit its reliance on individual suppliers or technologies which are developed under regimes that do not share its values. These objectives are aimed at the structural factors behind cyber security. And in the meantime, government is developing its Active Cyber Defence programme – which seeks to reduce the risk of high-volume cyber-attacks ever reaching UK citizens – and pressing ahead with other work on skills, resilience and partnerships across different industries and sectors.

    So, it seems clear that, despite the efforts of public and private sectors, the pandemic has exacerbated some of the threats we face online. But one thing that most experts agree on is that our best defence is getting the basics right. Many of the attacks which we have seen during the pandemic could have been avoided if individuals and organisations had followed recognised good practice. This includes actions like implementing formal information security regimes, avoiding unsupported software and adopting good password practices. We have specific guidance to help Audit Committees think about these sorts of issues in our updated Cyber and Information Security Good Practice Guide.

    So, if you are still thinking about your New Year’s resolutions, how about refreshing your cyber security practices? That may help you avoid becoming the next victim of a cyber-attack.

    Tom McDonaldAbout the author

    Tom McDonald is the Director responsible for the NAO’s work on cyber security. Tom has worked at the NAO since 2001 and has focused his career on the defence, overseas, health and national security sectors. He has degrees in modern languages, international relations and management from Bristol University and Ashridge Business School.

    Comment on this post...

  • Delivering programmes at speed? What you need to consider

  • Posted on January 7, 2022 by

    Ambulances need to travel fast! Ambulance drivers must take risks that regular drivers do not. This includes running red lights and travelling at high speeds through busy roads. However, to avoid accidents, precautions are taken to manage risks. The driver is trained, there are flashing blue lights and loud sirens.  

    Delivering programmes at speed requires a similar assessment of risks. In our recent lessons learned report we show that some programmes have successfully delivered quickly but not all – just as not all vehicles can be driven like ambulances. Speed creates greater risks which will not be appropriate or sustainable for every programme or organisation.  

    Should the risks of speed be taken? 

    Programmes may need to be delivered at speed for various reasons, including in an emergency or where there is a fixed deadline. We recently reported on the Kickstart Scheme launched by the Department for Work and Pensions (DWP). In response to a significant forecast rise in youth unemployment given the COVID-19 pandemic, DWP wanted to set up support quickly. It launched Kickstart on 2 September 2020, after only around six weeks of work, in time for the expected end of furlough in October 2020. We have also seen programmes delivered at speed as government simply wants to achieve outcomes sooner. A clear rationale for speed, can make it easier to get wider support and justify taking risks. Other drivers understand an ambulance’s need for speed and often make way. 

    Decision-makers need to understand ‘why speed’ to assess if the risks of speed are necessary and justifiable. Risks can include cost increases, not achieving outcomes, or people being diverted into a programme at the expense of other work. Our recent report on bounce back loans highlights the impact when risks are not managed – the Scheme facilitated faster lending by removing credit and affordability checks and allowing businesses to self-certify their application documents. Prioritising speed contributed to high levels of estimated fraud. 

    Given the risks decision-makers need to ask:
    • Can I justify taking the risks?
    • Have I thought about things enough?
    • Is the end result worth it?

    Monitoring and managing risks in practice 

    Where decision-makers choose to take the risks of delivering a programme quickly, they must proactively monitor and manage these increased and different risks. In November 2021, we shared insights from our lessons learned report with the Ministry of Justice team responsible for the Probation Reform Programme and the creation of the unified Probation Service to understand how this resonated with their practical experience. In June 2021, the Lord Chancellor had written to Parliament confirming probation services had been unified. 

    The team told us that they consciously chose to deliver at speed and identified a clear narrative for the reforms being at pace. As such, everyone was clear on the reasons for the reforms. The team also made clear that there was zero contingency beyond the expected delivery date. Alongside setting a minimum expectation of the requirements needed for Day 1, this helped force the pace and prioritisation of effort. 

    The programme team also highlighted the importance of strong leadership, with a culture of accountability and responsibility, to deal with any uncertainties or issues. In particular, they spoke of a culture which encouraged people to raise any problems they’d encountered, rather than hide them or focus on the ‘good news’. 

    Additionally, the programme team said they had built a strong internal assurance team, comprised of former senior operations staff, to carry out site visits and desktop reviews to ensure the programme was on track. 

    Alongside this, the programme team outlined the advantages of a flexible programme structure. The team recognised that it was difficult to plan everything up front, and instead ensured they had the required processes and information needed to respond quickly. This was done through regional teams, with a dedicated senior manager, tasked with identifying risks as soon as possible. This meant that the central programme team could deal with ‘unknown unknowns’ effectively when they arose.  

    Our insights 

    Many of the points raised by the Probation Reform Programme team align with our insights. In particular:  

    • Including speed as a specific programme objective to provide a clear framework for decision-making and help make trade-offs between speed, cost and outcomes. 
    • Building teams with the right leadership, skills and experience to make clear, timely and reliable decisions. 
    • Tailoring processes to add value and momentum to programme decision-making. 
    • Recognising the uncertainties of delivering at speed and managing these. 

    As speed remains important for ambulances, so it will for some programmes, particularly with commitments to achieving ‘net zero’ greenhouse gas emissions by the fixed deadline of 2050. Our report helps those deciding whether to deliver at speed ask questions to determine when or how this should be done and then continually test whether a programme will achieve its outcomes.  

    Further reading 

    About the authors

    Josh Perks is a qualified accountant with experience of working on the NAO’s transport team. His work has included audits of the main government transport bodies and value-for-money studies of major rail programmes. Recently, he has taken an active role in the NAO’s Major Projects Delivery Hub.

    Jemma Dunne is an Audit Manager and has delivered value for money reports across areas such as health and defence, including those on government programmes. She is a qualified chartered accountant (FCA) and holds the APM Project Management Qualification (PMQ).

    Comment on this post...

  • Effective governance and accountability is a mainstay for successful contract management

  • Posted on December 15, 2021 by

    This is the last in a series of posts on our good practice guidance for managing the commercial lifecycle. In that guide we shared fresh insights from our extensive body of work on government’s commercial activities.  

    It’s not surprising that many of the examples in our guidance related directly to responding to the COVID-19 pandemic. Just as everyday purchases we normally take for granted like buying pasta from the local supermarket, became complex thanks to the effects of the pandemic, so did government’s processes for buying the things it needed.  

    Of the supporting elements in our guidance which apply across the whole contract letting spectrum, governance and accountability may be the most crucial for responding to big changes and extreme circumstances. Risks are more likely to be borne out at any stage without the right people to make appropriate decisions and provide adequate scrutiny. 

    Explaining governance and accountability 

    When considering governance, we look at the oversight arrangements at an organisational level – poring over what risk reviews have taken place, and the adoption of learning from previous lessons.  When we consider ‘accountability’, we reference the support to contract managers; others charged with responsibility for the governance of contracts and the organisation as a whole (including the Accounting Officer for whom the duties for managing public money and reporting to Parliament falls to).  

    To be effective, these arrangements should facilitate open discussion and continuous improvement. Public bodies should demonstrate robust, independent oversight of both their contractual arrangements and overall commercial portfolios. We have often found that organisations do oversight well at a ‘big picture’ level or in fine detail but often cannot achieve both. 

    Accountability in complex systems 

    In 2020, we reported on the value for money of the local bus service system overseen by the Department for Transport. The report looked at the effectiveness of the government’s support for local bus services and whether the tools to improve local bus services were in place. The Department is not accountable for delivering bus services, but it has a national policy responsibility. We found that, during the COVID-19 pandemic, the Department came together with local authorities and operators, intervening rapidly to target the weakest areas and keep buses running – a good learning point for future programmes. 

    Using governance to support speed 

    Effective governance is important at all times but crucially so when risks are higher and goods and services are required to be delivered at greater speed. The NAO’s work on Lessons Learned: Delivering Programmes at Speed highlights the contribution governance can make in such situations. This publication references the need for governance structures to be tailored to support the pace of the work. We have seen different structures work in different circumstances, but the main principles are to have clear accountability lines and to involve the right people at the right time. 

    An example of the importance of clear accountability comes from the NHS Test and Trace Service. This was created to lead the government’s COVID-19 test and trace programme, which was delivered in part by contracted providers. The NHS Test and Trace Service was part of the Department of Health & Social Care (the Department) and was subject to the Department’s financial, information and staffing controls. However, the executive chair of the NHS Test and Trace Service did not initially report to the Department’s ministers or Permanent Secretary, but to the Prime Minister and the Cabinet Secretary. This unusual organisational relationship created dual reporting lines, which brought risks of unclear accountability. The relationship subsequently changed so that the executive chair reported to the Secretary of State for Health. 

    What good looks like 

    In defining how to achieve good governance and accountability to support successful contracts, our good practice guide sets out areas of improvement and outlines our expectations of best practice. They include:  

    • Accountability is defined and responsible officers are appropriately empowered. 
    • There is effective independent scrutiny of commercial activity. 
    • Lessons learned promptly feed into the wider strategy and plans for other contracts, and are integrated into needs assessment and the list of strategic suppliers. 
    • Reliable, timely management information is used for rapid diagnosis of issues and prompt action. 
    • The organisation’s own performance against obligations and the supplier’s view of performance are known and considered. 
    • Industry expertise is valued and used, subject to robust independence controls. 

    Wishing you all successful governance and accountability arrangements for your contracting activities!  

    About the author

    Iain Forrester

    Iain Forrester is a qualified accountant with long experience of working on the NAO’s commercial and contracting related work. This has included cross-government work on grants, shared services, EU Exit, and the government’s response to COVID-19. He also worked on the commercial and contract management insights guide published in 2016.

    Comment on this post...

  • Commercial strategy needs to be joined up to achieve best value

  • Posted on November 25, 2021 by

    Last December, the government published a Green Paper on Transforming Public Procurement. It  stressed that investments should be subject to consideration of the public good, including supporting national priorities. It discussed leveraging commercial activity to achieve social and environmental value.

    For our good practice guidance for managing the commercial lifecycle, we examined similar opportunities and how to support them. We shared fresh insights and learning from our extensive body of work on government’s commercial activities. In this latest post, I will share some of our insights on commercial strategy.

    Commercial strategy means thinking about the overall approach to ensure that procurement and other commercial activities provide the outcomes that government wants and benefit us all. This is the part of our guidance which really focuses on the context around what government does when it runs a competition or revises a contract, and the importance of joining up different elements.

    Joining up commercial strategy is vital if government wants to achieve its wider aims as well as value for money. That includes establishing a consistent approach to risk management, and the organisational capacity and capability to respond to uncertainty. It is also where other considerations come in, including where procurement can be a lever for larger goals like encouraging innovation or diversifying the landscape of suppliers to government. Commercial strategies should demonstrate how each commercial agreement aligns with wider strategic objectives and how this is then reflected in the approach for managing commercial risks and incentives throughout the commercial lifecycle.

    A couple of our past reports give good examples of the importance of joining up strategy at the programme level and more widely.

    Aligning timetables

    In 2018 we reported on The Ministry of Defence’s arrangement with Annington Property Limited, a sale and leaseback arrangement for accommodation. As part of our review, we found that the timetable for developing the Ministry of Defence’s wider estate strategies was not aligned with the timetable for rent reviews. The department was developing a ‘Future Accommodation Model’ intended to provide personnel with more flexible accommodation options. However, the timing meant that its negotiations on the sites with Annington would begin before a decision was taken on the wider model. This affected its ability to develop negotiating strategies for these sites. We recommended that the department align the timetables to use realistic scenarios in its negotiations, giving it a clearer strategic view.

    Leveraging procurement across government 

    On a wider scale, we reported in 2016 on the government’s spending with small and medium-sized enterprises (SMEs). The government recognised that SMEs could offer many benefits to the public sector, including flexibility, innovation and better value for money due to lower overhead costs, as well as increasing local investment and improving social outcomes. We recommended that the government should take a more focused approach, identifying where SMEs could bring the most benefit, and look into an integrated cross-government procurement platform to support its commercial strategy. The government has since introduced guidance for SMEs applying for contracts and promised to invest in joining up the different procurement systems. The intention is that this will help drive the commercial benefits from better data sharing – as part of changes to procurement processes following exit from the European Union.

    That is an example of the kind of strategic approach to identifying risks and opportunities which we want to see applied consistently across organisations, and we look forward to seeing how government’s follow-up to Transforming Public Procurement would help to further encourage this.

    What good looks like

    Our good practice guide sets out areas of improvement and outlines our expectations of best practice, with specific case study examples that demonstrate some of these expectations of a joined-up commercial strategy. They include:

    • Commercial, policy, operational and business teams work together to develop a clear understanding of the contracts and produce required outcomes
    • Each contract staffing model is developed early, regularly reviewed and tailored to different contract stages
    • Capability plans include operational resilience to address unplanned demands
    • Knowledge and experience of underlying contract issues is retained throughout the lifecycle of a commercial relationship
    • There is investment in the organisation and its people to ensure adequate access to training and development to support commercial awareness and expertise.

    About the author

    Iain Forrester

    Iain Forrester is a qualified accountant with long experience of working on the NAO’s commercial and contracting related work. This has included cross-government work on grants, shared services, EU Exit, and the government’s response to COVID-19. He also worked on the commercial and contract management insights guide published in 2016.

    1 Comment

  • A small leak will sink a great ship: the need to counter fraud and error in government

  • Posted on November 16, 2021 by

    My outdoor tap leaks. Not very much, just a small drip. And though I put a bucket underneath to catch the drips, I’ll admit that sometimes the bucket overflows before I can use the water in my garden. I know I should find out if it’s just a dodgy washer or I need a replacement tap but somehow it never makes it to the top of my to-do list.

    Out of interest, the other day I looked up how much a leaky tap costs the average household. Potentially hundreds of pounds each month, so safe to say it makes financial sense to get it fixed. Then I saw that leaky taps cost UK householders an estimated £3 million every year. Thousands of little drips adding up to a big chunk of money being washed away.

    The Government Counter Fraud Function (GCFF) faces a similar challenge when trying to tackle fraud against the public purse. Government estimates that £26.8 billion a year is lost to fraud and error in the tax and welfare system, but for me, the most surprising thing is that GCFF estimate that up to £25 billion a year more is lost through fraud and error in other areas of government spending. The measurement data available suggests that most departments are losing a relatively small amount to fraud and error every year, but these hundreds of small leaks add up to an eye watering cost to the taxpayer.

    Part of the problem government faces is this sheer diversity of risk – fraud and error impacts everything from grants and procurement to income collection. Fraud and error has also traditionally been the sole responsibility of each department to manage leading to considerable variations in approach to similar risks. Although this has clear benefits for accountability, focusing on risks by organisation rather than type and across multiple organisations leads to missed opportunities. Most government grant programmes are likely to face similar challenges when it comes to managing fraud and error risks, even if their exact nature varies.

    The GCFF was established in 2018 as a means to bridge these gaps and bring together the 16,000 or so people working in public sector counter-fraud to share knowledge and best practice. Though progress has been made, in June 2021 the Committee of Public Accounts reported that the

    Cabinet Office and HM Treasury’s central mechanisms for managing fraud and error are still in their infancy

    There are also less than 7,000 recognised counter-fraud professionals working across central and local government and policing, with more than 75% of these working in tax and welfare. That doesn’t leave many qualified specialists to tackle all the other fraud risks across government.

    The GCFF recognises that the information it holds on fraud and error losses outside the tax and welfare system needs improvement – its fraud loss estimate of 0.5% to 5% of expenditure is a massive potential range. In our Good Practice Guide on Fraud & Error, we set out how departments need to ensure they have a cost effective control environment. This means doing everything they reasonably can to minimise fraud and error, to the point where doing anything more would have a detrimental impact on wider objectives. In a world of limited resources is it enough to replace a washer or do they need a brand new tap?

    The Good Practice Guide also includes our Fraud and Error Audit Framework, developed over several years based on best practice in government and the private sector. Fraud and error risk is continuously evolving, and the Framework provides a structure for assessing how management uses an iterative approach to measure the effectiveness of its counter-fraud and error activities and to continuously improve its controls.

    Ultimately, without more precise information on the scale and causes of fraud and error outside the tax and welfare system, government risks large amounts of fraud and error remaining unidentified or untackled. Ensuring that more effort goes into improving government’s understanding of exactly where money is leaking from the system  is a key focus of our ongoing work on fraud and error. Now, more than ever, it’s important to make sure that vital taxpayers’ money isn’t being washed down the drain.

    About the author

    Katie Dixon manages our work on fraud and error within the Financial and risk Management Hub. She joined us as a trainee in 2011 and, after qualifying as an accountant, completed a masters degree in counter fraud and counter corruption studies. She has experience auditing fraud and error risks across financial, investigative and value for money audits and represents the NAO on several public sector fraud expert panels.

    Follow Katie on LinkedIn


  • Capability is for contract life, not just for procurement

  • Posted on November 2, 2021 by

    The NAO’s work includes looking at a huge range of government activities, and the setting up and managing of commercial arrangements are central to many of them. This became very clear when looking back at twenty years of our work auditing government’s spending and reporting on its value for money for taxpayers. Over this time, we have assessed over 350 of government’s agreements with commercial partners to deliver services and goods for the public.  

    Government has come a long way in developing its expertise in this space, but the pandemic and the need to procure services quickly has highlighted the extent to which further improvements are needed. Our perspective looking right across government and its programmes puts us in a unique position to draw together lessons and the common themes which have kept coming up in our work. 

    One example is our recently published Good practice guidance: managing the commercial lifecycle. In it we share fresh insights and learning from our extensive body of work on government’s commercial activities. The guidance has 10 sections – six procedural steps and four supporting elements. I previously wrote about one of those supporting elements, data, and this time I want to focus on another: capability.  

    Capability covers both personal effectiveness and organisational capability. It means having people within commercial teams and elsewhere with the appropriate commercial skills, at the right time. It also means supporting them with appropriate organisational leadership, systems and levers to deliver the required outcomes. Achieving all of this will require some measure of collaboration across organisations – be they cross government, or the wider public and private sectors.  

    Getting these capability aspects right is crucial throughout the entire process of the commercial lifecycle, from requirement through to transition at the end of the contract and is a key area for improving outcomes. An important aspect of managing contracts is being able to respond to change.  

    Substantial additions to government’s programmes, like the purchasing of COVID-19 vaccines and the associated equipment to roll out the vaccine programme, have shown just how much change can occur in a short time. This comes alongside the pandemic’s disruption of long-held assumptions and traditions, with huge impacts to our ways of life. 

    If that much change can take place within a couple of years, it’s clear that contracts, which sometimes span decades, must often react to very significant changes. That means that organisations need to make sure they maintain the appropriate skills and capability to manage contracts and commercial activities as a whole.  

    Some of our past reports highlight the importance of capability approaches. For instance, in our progress report on Terminating the Magnox contract, we highlighted the importance of reassessing capability throughout the life of a contract.  

    In March 2017, the Nuclear Decommissioning Authority (NDA) decided, based on legal advice, to terminate a 14-year reactor decommissioning contract due to a “significant mismatch” between the work specified in the tendered contract and the work that needed to be done. The NDA decided to renegotiate the contract with the incumbent, with the contract ending in 2019, nine years earlier than originally planned. To react to the change in circumstance and to better equip itself, the NDA commissioned a review of the delivery plan to improve its intelligent client capability before changing contract arrangements. It also strengthened its executive team, including a new commercial director, and increased the capacity of its contract management team. These changes were an example of meeting the expectation that contract staffing models should be regularly reviewed and tailored to different contract stages.  

    In our report on the BBC’s TV licence fee collection, we recognised how the BBC had benefited from introducing contract governance and reporting, supported by a multi-disciplinary team model and a wider strategic contracts infrastructure. We also recommended that it should maintain information on commercial skills to enable it to adapt to changes, such as upgrades to technology and ICT, which require different skill sets. This point was particularly important because we had identified that the BBC did not routinely assess its commercial skills and future requirements. 

    In our good practice guide we emphasise ways that improvements can be made to organisational and people capability, and their application throughout the commercial lifecycle.  

    There is an opportunity to make projects more successful in the short and long-term. We include expectations that:  

    • Commercial, policy, operational and business teams work together to develop a clear understanding of the contracts and produce required outcomes 
    • Each contract staffing model is developed early, regularly reviewed and tailored to different contract stages 
    • Capability plans include operational resilience to address unplanned demands 
    • Knowledge and experience of underlying contract issues is retained throughout the lifecycle of a commercial relationship 
    • There is investment in the organisation and its people to ensure adequate access to training and development to support commercial awareness and expertise. 

    The guidance also includes our expectations of good practice for all other stages of the commercial lifecycle and draws attention to some of the most important things for government to improve in its commercial activities. Stay tuned for further entries in this blog series, the next of which will be on commercial strategy. 

    About the author

    Iain Forrester

    Iain Forrester is a qualified accountant with long experience of working on the NAO’s commercial and contracting related work. This has included cross-government work on grants, shared services, EU Exit, and the government’s response to COVID-19. He also worked on the commercial and contract management insights guide published in 2016.

    Comment on this post...

  • Data is not just about numbers but opportunities

  • Posted on October 4, 2021 by

    We live in a time when more of our data is collected and connected than ever. It happens when I make an online lunch reservation and Google automatically turns the confirmation email into a reminder on my phone. The pandemic has taken this one step further. When I arrive at the restaurant I now need to scan a code to help supply information to the COVID-19 tracking app.

    Alongside an increase in demand for our own data there has been greater public expectation for government to be transparent with its data. For instance, in relation to the commercial elements of its pandemic response: from spending on Test and Trace to new contracts for PPE and for food boxes for the clinically extremely vulnerable.

    As the independent auditors of government, giving Parliament and the public greater transparency around government’s activities and the value for money that it delivers is at the heart of what we do.

    In our recently published Good practice guidance: managing the commercial lifecycle, we share fresh insights around what we learned from our extensive work on government’s commercial activities to help inform future actions and to support better sourcing of the things government needs. Transparency and data is one of four supporting elements which are important to the entire commercial lifecycle.

    There are many opportunities to make better use of the government’s commercial data and digital solutions to improve value for money throughout the commercial lifecycle. For example the process of publishing data could become easier; more useful connections can be created; and more insights could be gained from across the whole of government. But before this can be achieved, government must address challenges it has with late and incomplete disclosure of the information it is required to publish.

    This is because government’s stated policy is to adopt and encourage greater transparency in its commercial activity. Publishing information on contracts is an important part of its commitments. It recently reinforced this through a new Procurement Policy Notice. However we found in several past reports that publication of contract information fell short of what is required, for instance in not publishing details of contract awards within the timescales it is required to.

    Addressing these issues can go hand-in-hand with taking practical steps towards better use of commercial data. Analysis of our own reports on commercial topics over the past five years shows that there have been improvements, but we still found cases where the lack of commercial data has hampered government’s ability to analyse its spending and what it is getting in return.

    For instance, in the report Care leavers’ transition to adulthood, we looked at the data on local authority services. We found that without the data being accurate, complete and comparable, the Department for Education couldn’t support assessments to determine whether services offered good value for money.

    In our report on Improving value for money in non-competitive procurement of defence equipment, we saw an example of the potential benefits of increased transparency of information on costs for contracts. The Ministry of Defence told us that greater access to supplier cost information allowed it to monitor actual costs against the estimates in contract prices. It meant it could hold negotiations in a more informed way.

    Across government there is a chance to improve data and extend commercial transparency to give a clearer view of supplier profits and performance throughout its commercial arrangements. The government also needs a strategy and leadership to navigate the tensions between commercial sensitivity and the public interest. For instance, there should be a more consistent approach on which details need to be redacted from contracts for sensitivity reasons.

    In our good practice guide we highlight some of the key ways that improvements can be made in commercial data and transparency infrastructure and arrangements. Data and transparency are crucial to all steps of the commercial lifecycle. There is a big opportunity to implement improved infrastructure to make it easier to make better use of data.We include expectations that:

    • Transparency rules and guidance are consistently followed in full
    • Transparency principles are applied to what is procured and how, as well as to performance and changes to the contract.
    • The collection of data is transparent, proportionate and timely to support the understanding of processes and the market.
    • Data specification makes the data easy to share and use – consider open data standards, including common taxonomies and unique contract identifiers.

    We have also set expectations for good practice and what we see as the most important things for government to improve in other aspects of the commercial lifecycle, and will cover these in future posts, so keep tuned for further entries in this blog series.

    About the author

    Iain Forrester

    Iain Forrester is a qualified accountant with long experience of working on the NAO’s commercial and contracting related work. This has included cross-government work on grants, shared services, EU Exit, and the government’s response to COVID-19. He also worked on the commercial and contract management insights guide published in 2016. 

    Comment on this post...

  • Climate Change risk: Are We Doing Enough, Fast Enough?

  • Posted on September 13, 2021 by

    “The world is now living through climate change, not watching it draw near” is the stark warning delivered by the IPCC (Intergovernmental Panel on Climate Change), in its sixth assessment report (AR6).

    In risk speak, high-impact, low-likelihood events will become more likely with higher temperatures.

    With COP 26 fast approaching and extreme weather events becoming an uncomfortable ‘new normal’ across the world, not a week goes by without media coverage of the physical risks of climate change whether it be the: scorching heat in Canada, wildfires in the Americas, or devastating floods in Germany, India and China.

    So, are we acting fast enough?

    The verdict from the Climate Change Committee’s June progress report is “with every month of inaction, it is harder for the UK to get on track” with its climate ambitions.

    To gauge the level of climate change risk maturity in government we surveyed Chairs of Audit and Risk Assurance Committees (ARACs). While four out of five ARAC Chairs considered climate risks to be relevant to their organisation, over half noted that their organisation did not have a climate or sustainability risk policy or a dedicated employee accountable for either. Additionally, seven in ten Chairs said that climate change risks had either never been discussed at an ARAC meeting or had been discussed less than annually.

    Against this backdrop, we intend to help government organisations start the conversation around climate change risk.

    What is climate change risk?

    As risk professionals we tend to think in terms of “what could go wrong?” and how “how can we manage these risks?”.

    Government organisations have a huge challenge in trying to balance short, medium and long-term risks. The UK, and indeed the rest of the world, are still recovering from the COVID-19 pandemic, which showed how crucial it is for organisations to have the resilience to respond to high-impact, low-likelihood events. It is important that a true assessment of long-term risks is considered.

    Our good practice guide intends to help with this. In setting out the wide variety of potential risks that climate change can bring about, it will help all organisations across government – not just those responsible for leading on climate policy –identify and effectively manage a variety of climate change risks. These risks stretch beyond the physical risks, such as the impact of rising temperatures. They also include the risks posed by the transition to net zero and risks specifically posed to government organisations.

    How to support and challenge management

    Our guide further allows audit and risk assurance committees to constructively challenge management’s approach to climate change risk.

    This can be done across the whole risk management cycle: from initial identification and assessment, to treatment and monitoring, through to risk reporting and continual improvement.

    For many organisations effectively managing climate change risk will be a long journey. Our challenge questions are a great tool to help you do this.

    Example questions
    Example questions for the risk management principle ‘Governance and leadership (plain text alternative)

    Key takeaways of the Good Practice Guide can be found here. We hope you find it helpful.

    Authors: Mfon Akpan, Chris Coyne, Courtnay Ip Tat Kuen


    About the authors           

    Mfon Akpan

    Mfon leads our Financial and Risk Management Hub. She is a Big Four trained multi-disciplinary Risk, Assurance and Governance professional with over two decades of cross-border leadership experience across the financial services industry and beyond.

    Mfon has held roles at a number of blue-chip institutions, including the World Bank Group as a Risk Management Specialist, Standard Bank Group where she was the Chief Risk Officer and Regional Head of Risk for its operations in Nigeria and across West Africa, respectively, and Barclays Group Plc where she was an Audit Director.

    Follow Mfon on LinkedIn

    Chris Coyne

    Chris manages our work on financial and risk management. He has been with the NAO since he joined as a graduate trainee in 2008, and has significant experience managing financial audits across a variety of government organisations.   

    Follow Chris on LinkedIn 

    Courtnay joined the NAO in 2013 as a graduate trainee. She has experience leading and managing audits in the public, commercial and charity sectors, as well as acting as an Ambassador for the International Technical Cooperation team.


  • Efficiency – who’s judging?

  • Posted on August 26, 2021 by

    I stumbled across the television programme ‘Undercover Boss’ last week. I’d never seen it, but the premise is simple. The chief executive of a company dons a disguise and spends a week working undercover in their own organisation to see what it’s really like. It reminded me of ‘Troubleshooter’, a similar show in the 1990s that was about helping businesses in trouble – minus the disguises. It would focus often on boardroom tensions over the company’s strategic direction or ignoring great ideas from the ‘shop floor’. Inevitably the advice was typically about opportunity for efficiency and better products.

    Government has more complex challenges but a spending review is looming. It will undoubtedly need to address the cost of the pandemic as well as providing existing and new services. HM Treasury has asked government departments to make plans for achieving substantial efficiency savings by 2024-25. But what might this mean in practice?

    It’s tempting to look at efficiency in government through a cost lens. To reduce costs by having fewer people or stopping activities altogether. But what next after one-off savings? How do you know there will be no impact on the outcomes achieved? How do you ensure that what makes sense from a department’s viewpoint doesn’t have unintended consequences and push problems, demand and costs elsewhere? Such as happened in the past when HMRC’s tax services moved online but demand for telephone advice stayed the same and service deteriorated.

    Perhaps the more searching question to answer is, efficiency in whose eyes? What does efficiency look like through the lived experience of those impacted? Efficiency is achieving more with the same. Or achieving the same, or more, with less. Government needs to judge the outcome side of the equation to know if it’s making a difference.

    Looking at efficiency through the lens of the user can help to ensure services aren’t adversely affected. Understanding service users and what they value, helps predict how they will react when services change. You can make the right improvements if things aren’t working and take out unnecessary activity. Get this right and efficiency will focus on what’s important to the people using the services.

    I’m lucky in my role. I’ve spent 10 years being able to play a version of the undercover boss seeing how government departments and services work. That’s shown me plenty of untapped potential for improvement and efficiency.

    Our good practice guide on improving operational delivery points to three underlying questions to focus efficiency on outcomes:

    Why: is it clear what our priorities are?

    This will help government align on and inform cross-cutting purpose, objectives and investment. Departments can make consistent trade-offs where priorities seem to conflict. (See how government has used the public value framework to inform priorities and outcomes in spending reviews)

    What: is real life experience informing our chosen approach to achieving our priorities?

    The experience of people impacted needs to inform and continue to challenge the chosen approach. (See Are you making a bid for design? for how government is encouraging such an approach)

    How: is there a better way to do our work?

    It’s rare for new ways of working to be perfect. But people doing the work understand what is and isn’t working in the services they are providing. Supporting them with the capability and time to identify opportunities, innovate and solve problems will improve services. (An ambition set out in the Declaration on Government Reform).

    All three questions matter. Efficiency is about getting better at how we do our work. But that raises the risk of ‘doing the wrong thing righter’ – perfecting work that isn’t important. Stepping back and questioning why we do something, and our chosen approach is trickier but vital. That challenges our long-held views, assumptions and the status quo.

    Our recent report, efficiency in government report, has lessons on identifying, planning and embedding efficiency. It’s the first in a series, outlining how government can use the outcomes that matter as the basis for longer-term decisions, rather than just seeing efficiency as a short-term numbers game. Combining this with good operational management will provide the adaptability that government needs to cope with changing whole-system demands.

    About the author:

    Alec Steel

    Alec Steel

    Alec has led our operations management specialism since 2010, and supports government thinking across the UK, Europe, USA and Australia. He has authored reports on subjects ranging from major project assurance to the use of consultants, and his assessment of operations management capability across central government in 2015 drew on learning from 32 organisations and 86 operational services.

    Comment on this post...

  • Six reasons why digital transformation is still a problem for government

  • Posted on August 4, 2021 by

    It’s revealing to look at the timeline of digital transformation initiatives over the last 25 years. Government’s ambition for ‘world class’ services using joined-up systems and data goes back to the mid 1990s, from where we can trace a steady stream of policies and initiatives right through to last autumn’s National Data Strategy. Most of these cover similar ground, which shows how hard genuine transformation is.

    Repeated cycles of vision for radical digital change have been accompanied by perhaps an overly simplistic view of the ease of implementation. Government is not a greenfield site where brand new systems can be created at will. New ways of doing business and services need to fit into a government landscape still dominated by legacy systems and data. As a result, well-intentioned initiatives have petered out, falling short of achieving their intended outcomes.

    It’s important not to see this report as just another commentary on project and programme management failures. In business transformation initiatives with significant digital elements, the intangible nature and use of novel technology introduces many more ‘unknown unknowns’. Contrast this with infrastructure projects, where people can visualise the end product within the laws of physics. This allows a clearer sense from the outset of what is realistically feasible.

    Digital leaders bring experience and understand the challenges well. But they often struggle to get the attention, understanding and support they need from other senior decision-makers. This is borne out by a recent government review into Organising for digital delivery which identified a significant challenge of low technical fluency across the civil service leadership generally. This contrasts with the commercial world where technology is increasingly seen as a critical delivery lever and senior leaders are expected to have a clear understanding of how to deploy it effectively.

    Six reasons why

    We wanted to shine a light on the systemic issues that need to be tackled before a programme even gets underway, using our past reports as illustrations. When implementing digital business change programmes here are six things to get right at the outset.

    1. Understand your aims, ambition and risk by:
    • Avoiding unrealistic ambition with unknown levels of risks
    • Ensuring the business problem is fully understood before implementing a solution
    • Planning realistic timescales for delivery, which are appropriate to the scope and risk of the programme.
    1. Engage with commercial partners through:
    • Spending enough time and money exploring requirements with commercial partners at an early stage
    • Adopting a more flexible contracting process that recognises scope and requirements may change
    • Working towards a partnership model based on collaboration with commercial suppliers.
    1. Develop a better approach to legacy systems and data through:
    • Better planning for replacing legacy systems and ensure these plans are appropriately funded
    • Recognising the move to the cloud will not solve all the challenges of legacy
    • Addressing data issues in a planned and incremental way, to reduce the need for costly manual exercises.
    1. Use the right mix of capacity, make sure you:
    • Are clear about what skills government wants to develop and retain, and what skills are more efficient to contract out
    • Better align political announcements, policy design and programme teams’ ability to deliver through closer working between policy, operational and technical colleagues.
    1. Consider the choice of delivery method through:
    • Recognising that agile methods are not appropriate for all programmes and teams
    • When using agile methods ensure strong governance, effective coordination of activities and robust progress reporting are in place.
    1. Develop effective funding mechanisms by:
    • Ensuring that requirements for both capital and resource funding are understood and can be provided for.
    • Seeing technology as part of a service that involves people, processes and systems in order to better consider the economic case for investment.

    We recognise that addressing the challenges around digital business change programmes is difficult but using these six lessons will support practical improvements. If you want to find out more, our report The challenges in implementing digital change looks into why large scale government programmes repeatedly run into difficulties.

    About the author: 

    Yvonne Gallagher

    Yvonne Gallagher

    Yvonne is our digital transformation expert, focused on assessing the value for money of the implementation of digital change programmes. Yvonne has over 25 years’ experience in IT, business change, digital services and cyber and information assurance, including as CIO in two government departments and senior roles in private sector organisations, including the Prudential and Network Rail.


    1 Comment

Right column

  • About the NAO blog

    Our experts share their views about issues and common challenges facing government, what public sector leaders should look out for and how organisations have addressed issues. Our posts draw together threads from across our reports, share secrets spilled in events and reveal our experts’ expectations for the future.

    We encourage comments that support the exchange of ideas for improvement, but ask that those posting are respectful of others.

  • Sign up for automatic feeds

    Sign up to receive email alerts:

    RSS IconSubscribe in an RSS Reader