eGov monitor Feature: Managing eGovernment Risks

16 December 2002

Managing eGovernment Risks

By Peter Eckersley, eGovernment Research Officer, Institute of Public Finance

Business risk can be defined as "any event or non-event that threatens the successful achievement of business, strategic or operational aims and objectives." Identifying and controlling these threats effectively is the goal of risk management. Although a risk-free world is utopian, having effective procedures in place to deal with unexpected shocks is essential for any organisation wishing to deliver value for money and improve services. Risk management is a particularly important issue for eGovernment, due to its complex, cross-cutting nature. Amongst other things, risks can be associated with take-up, project management, PFI project contracts, disaster recovery or security.

The CIPFA eGovernment and Better Governance Forums held seminars on the subject of 'Managing eGovernment Risks' on 5 and 13 December in London and Edinburgh respectively. Both days looked at a variety of different risks associated with the public sector in general and eGovernment projects in particular.

Take-up risks

Speaking at the seminar, Tim Flesher, Director General of the Inland Revenue, identified engaging with the customer as the best way to mitigate take-up risks. Whilst developing its online corporation tax system, the Revenue brought together a sample of representative organisations to find out what services they wanted to see on its website.

Tim's expectation was that companies would want to submit taxes over the Internet. So he was surprised to hear that, above all, they wanted to view the state of their accounts, including what they have paid and when, and see the same screen as tax officers whilst in discussion with them on the telephone. This consultation helped the Revenue to develop a system that is very useful to its customer base and thereby mitigated take-up risks.

Project risks

The Office of Government Commerce has identified achieving customer focus as one of its 'top three' risks for eGovernment projects. Another concerns managing programmes and projects, for which 'risk registers' are useful tools. These identify which risks may occur when, which stakeholders would be affected, allocate responsibility, and assess the probability, impact and potential outcomes of each threat. This latter point in particular will help determine the balance of resources that should be devoted to countering each risk and necessity of a contingency plan. It is crucial to remember that risks continue throughout the life of a project (since important staff could move away, or political changes could result in different priorities) and not monitoring the situation could therefore lead to drift or delay.

Risks in PFI projects

When compared to construction projects (schools, hospitals or prisons) that are funded by the private finance initiative, ICT and eGovernment involves greater risk to the financier because they do not leave a tangible asset for the bank to recover in the case of failure. And some eGovernment projects obviously have more potential threats than others.

For example, complex, cross-cutting projects (such as contact centres or one-stop-shops), which require major process changes and will have a significant impact on customers involve much greater risks than purchasing new IT infrastructure, such as broadband, which usually has little direct impact on services and requires only limited organisational change. Raphael Miller, from RSM Robson Rhodes, argued that the best way for a purchaser to mitigate such risks is to put itself in the provider's position, since if it is unlikely to gain from the deal, it may provide a poor service. Other safety mechanisms are similar to those used to deal with contractual and legal risks.

Contractual and legal risks

Outsourcing has given contracts vital importance, as they represent the critical interface between purchaser and provider, defining the relationship between the two parties and allocating obligations (such as risk management), as well as deliverables. However, most traditional risk management and risk register approaches were developed before outsourcing became common and therefore do not address contractual risks sufficiently.

Rosemary Mulley from Nabarro Nathanson solicitors identified the specification as the area where most risk is likely to lie. If the scope of the project is not defined properly, conflict between provider and purchaser is likely to result. Since the objectives of the project must also be congruent with those of the organisation (thus requiring senior management rather than IT input), those staff involved may not be completely au fait with the product's potential or limitations, thus exacerbating this risk.

To mitigate schedule risks where the purchaser may be liable, practitioners should build in clauses that allow them to extend a contract's timeframe unilaterally. As with PFI projects, the contract should allocate responsibilities clearly - with risks to be managed by those best placed to deal with them.

Disaster recovery

e-Business and eGovernment's reliance on technology has increased the potential impact of risks on organisations - if websites, remote access, call centres or IT support are suddenly put out of action they can have a devastating effect. However, by conducting a business impact analysis, most modern organisations should be able to identify ways of keeping their critical functions going, either through alternative IT systems or by returning to manual processes.

Andrew Wiczling from ITNET identified examples of this whereby contact centres can automatically record messages or re-route calls to a different centre within 12 hours. The key is to work out which services should be prioritised and therefore receive the lion's share of the remaining resources - which could be the backup IT system, accommodation and other facilities. These solutions should also be tested and rehearsed at regular intervals.

Security risks

According to a DTI survey in April 2002, only 27% of UK businesses have security policies. Yet the majority of security breaches - whether deliberate or accidental - come from inside organisations. Not only does this highlight the risks inherent in new technology (such as viruses, installation of unauthorised software, use of the Internet and email for personal or illegal purposes), but it also leaves the employer on weak legal ground if they wish to prosecute a member of staff for an alleged breach. A security policy is therefore essential to counter potential internal threats, as well as firewalls, anti-virus software, monitoring and an intrusion detection system. Perhaps most important is a high level of awareness amongst staff. Security expenditure should be seen as an investment against potential risks, rather than a drain on resources.

However, it is important to get the balance right when dealing with customers and potential external threats. Tim Flesher spoke about the well-publicised security breach on the Inland Revenue's website in May 2002, when an error led to some users being able to view other taxpayers' bank details on the website. Despite this, the number of tax returns received online this year is four times as high as the 2001 figure. Tim attributed this to the site's usability (it provides an automatic calculation of liabilities, will not accept incomplete forms and removes unnecessary questions) and lack of excessive security features - there is no need to type in multiple passwords. This suggests that people are more concerned with ease of use than security and so the Revenue appears to have managed these conflicting priorities correctly, in spite of its negative publicity earlier in the year.