This content has been automatically generated from the original PDF and some formatting may have been lost. Let us know if you find any major problems.
Text in this format is not official and should not be relied upon to extract citations or propose amendments. Please see the PDF for the official version of the document.
STATES OF JERSEY
CYBER SECURITY ARRANGEMENTS (R.71 /2022): EXECUTIVE RESPONSE
Presented to the States on 15th August 2022 by the Public Accounts Committee
STATES GREFFE
2022 R.71 Res.
FOREWORD
In accordance with paragraphs 64-66 of the Code of Practice for engagement between Scrutiny Panels and the Public Accounts Committee' and the Executive', (as derived from the Proceedings Code of Practice) the Public Accounts Committee (the Committee') presents the Executive Response to the Comptroller and Auditor General's Report entitled: Cyber Security Arrangements (R.71/2022 presented to the States on 6th May 2022).
It is intended for the Committee to be fully constituted after the appointment of Lay Members during the States sitting on 13th September 2022. As such, the Committee will review the responses in detail after its formation and present any further comments to the States Assembly in due course.
Deputy L. Feltham
Chair, Public Accounts Committee
SUMMARY OF RESPONSE
The report on the Cyber Security Programme was published before the final evidence items were provided to the C&AG. As such a number of the recommendations, as they would apply specifically to the Cyber Security Programme, were dealt with through that final exchange of evidence. Many of the recommendations refer to Major Programmes in general and not specifically to the Cyber Programme. Where the recommendation refers to Major Programmes, the response has been provided by the Corporate Portfolio Management Office (CPMO) and/or Strategic Finance. Where the recommendation relates specifically to the Cyber Security Programme, the response has been provided by the Cyber Security Programme, Programme Management Office.
A significant number of the Major Programme recommendations are dealt with through the CPMO Programme Delivery Framework and/or Project Delivery Framework which were published in 2021. At the time that the Frameworks were published, it was agreed that in flight Programmes and Projects would not be required to complete documentation retrospectively but would fall into line with the Framework at the next Stage Gate. As such, at the time of the audit, the Cyber Security Programme may not have been fully compliant with the relevant Framework but would be expected to become fully compliant at the next Stage Gate. This situation would apply to all Programmes and Projects that were in flight in 2021.
ACTION PLAN
Recommendations | Action | Target Date | Responsible Officer |
R1 Secure documented formal senior approval of any changes to high-level programme targets. | Accepted This has already been enacted as part of the discussion around FY22 changes to scope and planning, with Formal CRN-062 being presented to the ACM for review/approval. | Complete | Programme Manager, Cyber Security Programme |
R2 For major programmes, adopt a set of success measures that can be used to evaluate the impact of a programme in a clear and straightforward way. | Partially Accepted The definition of success measures for programmes and projects are required to be set out and approved in the business case. The business case also presents the options identified and appraised and should clearly articulate the reasons for the recommended option. All business cases requiring additional funding are submitted for investment appraisal prior to being recommended for approval via the | Q3 2023 | Head of CPMO |
Recommendations | Action | Target Date | Responsible Officer |
| Government Plan or Ministerial Decision. If a business case is approved, the programme/project can move into delivery. The strength of the business case and identified success measures will determine the ability to effectively evaluate the impact of the programme. In 2021, the CPMO launched two Frameworks, the Programme Delivery Framework and the Project Delivery Framework. The purpose of these Frameworks is to provide consistency of language and approach to programme and project delivery and to provide additional control using stage gates. The stage gates mandate formal evaluation of the programme/project against its business case to assess whether it is still viable, still represents value for money and is still likely to deliver the benefits defined in the business case. This would include any measurable benefits identified in the business case although it should be noted that not all business cases have included measurable benefits. It is the ambition of Strategic Finance to improve the quality of business cases, which would include a focus on including measurable benefits. In addition to the stage gates, monthly progress and performance status reporting on all programmes and projects has been mandated and at the completion of a programme/project, the Frameworks mandate a post implementation review and Closure Report which contains a clear requirement for the stipulation of benefits realisation plans and ownership, should the realisation of benefits be in the period post completion of the programme/project. |
|
|
Recommendations | Action | Target Date | Responsible Officer |
| Going forward all projects initiated (and those defined and planned as part of Government Plan 2023) will follow the frameworks allowing for the upfront definition of success measures for consistent evaluation throughout. Existing Major projects, particularly those in delivery stages are not expected to retrospectively complete documentation and so this process is expected to take until mid to late next year to embed. |
|
|
R3 For major programmes, set overall milestones for delivery at programme level and monitor against those milestones. | Partially Accepted The CPMO frameworks referenced above provide a standard set of stage gates throughout the programme/project lifecycle. The stage gates mandate formal evaluation of the programme/project against its business case to assess whether it is still viable, still represents value for money and is still likely to deliver the benefits defined in the business case. In addition, monthly progress and performance status reporting on all programmes and projects requires monthly review and updates to programme/project milestones. In 2022, this has been expanded to also require a status against each milestone and forecast milestones to allow forward planning at a portfolio level. It is recognised that, as with R2 above, this process will take time to embed. In flight projects are not expected to retrospectively complete documentation but they are expected to complete updates to stage gate milestones via the reporting system on a go-forward basis. Assessment of the validity of this information is also required and this will take place monthly as part of quality checking on Major and Strategic projects. | Q2 2023 | Head of CPMO |
Recommendations | Action | Target Date | Responsible Officer |
R4 For those workstreams and projects where the focus is on consultancy rather than technology implementation, set milestones for delivery and monitor delivery against those milestones. | Partially Accepted In 2022, all projects, regardless of their focus, require the definition, monthly review and update of milestones via the project reporting tool (Perform). At a minimum these milestones will include the stage gates a project will progress through. At the completion of a stage gate, the Project or Programme board is required to approve any change to milestones formally prior to the transition to the next stage. Work is ongoing to ensure milestones are consistently defined and reported upon via the project reporting tool (See R3 above) | Q2 2023 | Head of CPMO |
R5 Undertake a formal documented risk assessment before agreeing deferrals or changes to project deliverables. | Accepted Formal CRNs for high level decision making on the programme have been in place since the outset of the programme and within the template, there is a section on impact analysis which includes provision for time, cost, risk, resources, communications and benefits in line with standard industry practice. This has been enacted in the recent CRN-062 which addresses the recent intent to amend the scope and intent for the programme in FY22/23. | Complete | Programme Manager, Cyber Security Programme |
R6 Formally document all deferrals and changes to project deliverables. | Accepted Deferral activity in the detailed sense is captured within the requirements validation process that is carried out with all packages as they pass through delivery on the Cyber Security Programme. We will review specific areas of the Tranche 1 projects to determine if there are any gaps or timing issues with the validation work | Complete | Programme Manager, Cyber Security Programme |
Recommendations | Action | Target Date | Responsible Officer |
| that was presented at the time of interview, but it is perceived that no additional changes to process or approach is required. |
|
|
R7 Formally document at a programme level where deferrals and descoping have been referred to Ministerial level. | Accepted The use of formal CRNs for high level decision making on the Cyber Security Programme has been adopted and in relation to the recent CRN-062, presentation and discussion at ministerial level has been carried out and documented. | Complete | Programme Manager, Cyber Security Programme |
R8 Make best use of scarce internal staff resources in future technology programmes through: • confirming availability during the planning phase; and • engaging with other programme leads to identify activities in common. | Partially Accepted M&D do their utmost to make best use of scare resource in a fluid, dynamic and complex environment. In the last year, M&D have developed demand management processes to collate, assess and manage the demand arising for technology change and support from departments, and tracks between 300 and 400 initiatives at any point in time. This is a reactive rather than a proactive planning approach which is time consuming and results in resource forecasting conflicts. To address this, there is a requirement to proactively plan (wherever possible), and this requires a change to the way in which strategic planning takes place. For the Government Plan and Departmental Business Planning 2023, M&D and other enabling functions will be engaged in the planning process at the outset avoiding unforeseen resource demand and allowing a proactive and joined up approach to planning and the assessment of deliverability. However, this alone is unlikely to resolve the issue of resource availability as plans change often on projects and these resources are also required to maintain the day-to-day | Complete | Group Director, Modern- isation & Digital |
Recommendations | Action | Target Date | Responsible Officer |
| technology requirements for a complex organisation which often requires a reallocation of resource at short notice. Should the GoJ wish to establish dedicated technology resource teams for the purposes of change, forward resource planning would be more achievable. However, this would come at considerable cost to the organisation and would require significant effort to implement and embed and is therefore not proposed at this stage. |
|
|
R9 In planning future technology programmes, assess the risks and opportunities associated with simultaneous delivery of multiple programmes. | Accepted As noted above, historically, planning processes have not assessed the cumulative viability of change nor have they consistently and formally engaged with M&D to assess the individual viability of proposals. In 2022, as part of the Government Plan 2023 processes, there will be an assessment of deliverability involving the enabling functions to plan for and schedule concurrent delivery. New processes in M&D such as the Architecture Review Board, allow for the identification of technology risks and opportunities associated with concurrent delivery. There is also ongoing work to ensure the planning processes in T&E are integrated with those in the enabling functions to assess the appropriate funding and planning of both management and technical resources to enable significant simultaneous delivery across the entire portfolio. | Complete | Group Director, Modernisatio n & Digital |
R10 Deliver structured training to risk owners to develop their understanding of and confidence in their role. | Partially Accepted In 2021, Espresso sessions to introduce risk owners to the Enterprise Risk Management (ERM) process and tool were implemented. Departmental focused training is also undertaken where the need is | Complete | Head of CPMO |
Recommendations | Action | Target Date | Responsible Officer |
| identified. Details of risk webinars are shared with risk owners and risk groups. Risk guidance setting out the difference routes for recording and reporting Project/Programme Risk, Departmental Risk and Corporate Risk has been published. In Q3, the CPMO will introduce quarterly departmental portfolio risk reviews which will focus solely on the programme/project risk in the department and whether there are suitable mitigations in place. [NB In the future, Corporate Risk plan to develop a formalised programme of risk training, in terms of a fully structured competency framework based training programme for general risk management. Corporate Risk are awaiting the outcome of a C&AG review of the ERM prior to embarking on a piece of work which will look at gap analysis around the competency framework and then tailor and cost accordingly. This is likely to be a blend of e-learning with compulsory modules for all staff via Virtual College and more specific risk training directed at the different tiers. It is possible Corporate Risk will be recommending departments to follow a similar approach in respect of the latter to that which has been taken with IOSH Managing and Directing Safely but from a CIRM perspective. This includes training at Board level. It is therefore too early to give costing until this work is done. |
|
|
Recommendations | Action | Target Date | Responsible Officer |
| This will be supplemented with Expresso sessions on ERM system navigation, workshops on the framework and specific elements of the Strategy, etc. Some of this is already being done within existing resource.] |
|
|
R11 Develop formal mechanisms for co- ordination between programmes regarding the prioritisation and co- ordination of tasks. | Accepted As noted above, revisions to the Government Plan and Departmental Business Planning will ensure that M&D and other enabling functions are engaged in the planning process at the outset and prior to business case approval, allowing a proactive and joined up approach to planning and the assessment of deliverability. Ministerial support will be necessary to this process particularly with respect to the prioritisation of projects enabling the project teams to schedule effectively and avoid conflicts. | Complete | Head of CPMO |
R12 Designate internal owners for each workstream in major programmes. | Accepted The CPMO Governance Framework mandates a minimum governance structure which includes a Programme SRO, Senior User, Senior Supplier and PM/PMO. The approach to the programme will determine the roles beneath this structure. For example, some programmes will define distinct projects beneath. In such cases, these projects are expected to also follow the minimum governance structure, putting in place a project level SRO. In other cases, the programme may decide to use tranches or workstreams rather than separate projects to consolidate deliverables. In such cases, a lead for the tranche or workstream must be agreed with the Programme board before the end of the Define the Programme' stage gate. The Programme Framework which sets | Complete | Head of CPMO |
Recommendations | Action | Target Date | Responsible Officer |
| out such requirements was launched in November 2021, and it was agreed that any inflight programmes (such as Cyber Security) would not be required to retrospectively complete documentation. Going forward, these structures will be defined and reviewed by the Programme Board and the CPMO prior to progressing to the next stage. As in flight programmes progress through their next stage gate, they be required to align with the CPMO Governance Framework. |
|
|
R13 Identify individuals to deputise as alternates at key programme meetings when designated individuals are not available. | Partially Accepted The standard terms of reference for Project Boards and Committees requires the identification of named delegates and the clarification of the required quorum. However, given the nature and size of the Government of Jersey, a delegate with the appropriate decision-making authority may not always be in available. | Complete | Head of CPMO |
R14 In Outline Business Cases document linkages to wider organisational strategies and initiatives. | Accepted The Investment Appraisal Team is committed to supporting the organisation in continuously improving the quality of business cases produced. It has produced updated Business Case templates, and rolled out a training programme, guidance, online learning and a resource hub to support business cases authors. The updated Business Case templates include a requirement to link the initiative to a CSP or Ongoing initiative. In addition, the case for change also specifically asks authors to consider "connections to existing government policies and strategies." | Complete | Group Director, Strategic Finance |
Recommendations | Action | Target Date | Responsible Officer |
| Impacts on other departments are specifically required to be assessed, which would include dependencies and linkages to other initiatives. We therefore consider that the Business Case framework in place meets this recommendation, although the actual realisation will depend on the detail and quality of each individual business case drafted. The IAT will continue to support the organisation in developing the quality of Business Case writing. |
|
|
R15 Ensure that all workstream planning activities in major programmes are fully documented. | Accepted All Major programmes are required to follow the CPMO Programme Delivery Framework which sets out the required documentation for the programme. This includes the minimum standards for Programme Plans. | Complete | Head of CPMO |
R16 Routinely hold workshops with programme stakeholders to identify and prioritise requirements for major programmes. | Partially Accepted All Major programmes are required to follow the CPMO Programme Delivery Framework which sets out the required documentation for the programme. This includes a stakeholder map and communications strategy to indicate the plan for the management, engagement and communication with stakeholders. At the end of each stage gate, the Programme Manager and SRO must confirm they have satisfied the criteria to enter the next stage gate which includes the engagement of stakeholders, clarification of their role in the programme and their approval of prioritised requirements and design. This document is approved by the Programme Board and reviewed for completeness by the CPMO. | Complete | Head of CPMO |
Recommendations | Action | Target Date | Responsible Officer |
R17 Develop and roll out appropriate induction training for external project managers. | Accepted A Project Management e-learning module was launched in February 2021 to provide induction training to all new Project Managers to the GoJ, including any external Project Managers. The e-learning includes guidance on the use of the GoJ Programme and Project Frameworks. In addition, training is offered to all new Project Managers (both internal and external) on the use of the project reporting system, Perform. [NB The Cyber Programme does run familiarisation sessions for new suppliers joining the Cyber Security Programme and within the extended content we have focus sections on PMO and Business Change. This is currently being revised and will be updated in line with the intent to adopt the new CPMO delivery framework etc. for FY22 projects where appropriate/mandated.] | Complete | Head of CPMO |
R18 Introduce structured briefings for stakeholders at the commencement of their involvement in a programme so that they have a clear understanding of their role. | Accepted This is in place. See R16. | Complete | Head of CPMO |
R19 For major programmes, routinely evaluate benefits realised and delivery of Outline Business Case tasks at programme level. | Accepted See R3 above. | Complete | Head of CPMO |
RECOMMENDATIONS NOT ACCEPTED
Recommendations | Reason for Rejection |
None |
|