“If people had stuck to the procedures, this would never have happened.”
How many times have you heard a senior manager say that?
This was, more or less, what Alistair Darling said in his statement to the House of Commons yesterday, about the loss of 25 million people’s tax records.
It now appears that following a further request from the NAO in October for information from the Child Benefit database, and again at a junior level and again contrary to all HMRC standing procedures, two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered.
The trouble is, procedures only work if people proceed according to them. If workers don’t know what the procedure is, or worse, are encouraged to cut corners by not adhering to it, the procedure is useless. Offices all over the country have procedures manuals, probably compiled by expensive project teams, or even more expensive consultants, sitting on the shelves gathering dust. This is usually due to one, or a combination of, the following:
- The procedures were designed with no understanding of the true nature of the job. They therefore reflect an idealised world and take no account of the demands made on employees. From the beginning, they are seen as a useless imposition and ignored.
- No training was given to the staff on the new procedures.People were just expected to pick it up as they went along. The result is a piecemeal implementation, with some employees following some of the procedures some of the time.
- Employees were not given any incentive to follow the new procedures. If people are not rewarded for using the new procedures, or not called to account when they don’t, why would they put in the extra effort to make the procedures work? If managers don’t value the procedures enough to build them in to employees’ objectives, why should anyone else consider them important?
- Managers did not monitor the use of the procedures. Too often, once procedures are written up on pretty charts, managers tick the box, declare a successful implementation then move on to something else. They assume, or hope, that the employees will just get on with it. Few have the stomach for the laborious follow-up tasks. The use of the new procedures needs to be monitored and checked. Team members need to be coached, persuaded, admonished and, occasionally, disciplined until the procedures become accepted. That means hard work for the manager.
Which is why it is easier, when things go wrong, to just blame a few junior staff, say that the procedures are rubbish and launch yet another new project to re-engineer and re-design them.
Sure enough, Alistair Darling has announced that PricewaterhouseCoopers will conduct a review of security procedures at HM Revenue and Customs. Led by Chairman Kieran Poynter, the PwC team will produce an interim report by the end of the year and a full report in the spring. This review will almost certainly find evidence of some or all of the common mistakes outlined above. No doubt PwC will also redesign some of the processes, at considerable cost, but if the same mistakes are made in the implementation, these, too, will sit on the shelf to be ignored until the next crisis breaks.
Is an expensive review by a consultancy firm really necessary to resolve this problem? People in HM Revenue and Customs must know what went wrong and, with a little thought, they should be able to work out why. Is there really no-one within the Civil Service who could ask some simple questions, based on a few well known common implementation mistakes, and put together a plan to sort the whole mess out? Or is public sector management now so moribund that the only option open is to call in the consultants?
Whatever improvements PwC recommend will have to be implemented by managers at HM Revenue and Customs. If these same mangers did not ensure that the current procedures were followed, what are the chances that they will effect the changes necessary to prevent a similar security breach in the future?
A review of security procedures by consultants is unlikely to change anything. The problem is not a lack of procedures but that, whatever the procedures are, people sometimes ignore them. This is due to a failure of management. Dealing with systemic management failure takes longer and is much more difficult than just changing a few procedures.