The Post Office Horizon scandal is one of the biggest miscarriages of justice in British legal history. What can we learn from this about how to choose an IT partner?
Something about the ITV drama Mr Bates vs. the Post Office captured the public imagination in a way hundreds of news articles and several parliamentary questions and an ongoing public inquiry has not.
The true story of the Welsh postmaster who took on the Post Office after it refused to accept the blame for a faulty computer system that led to thousands of postmasters and sub-postmasters being falsely accused of fraud has resonated with a large swathe of the British public.
Yet the show’s success took even its creator by surprise. Gwyneth Hughes, the writer of the drama, said she was warned that “probably not many people would watch it”. Instead, the ITV show has been a catalyst for action by the public, the government and, finally, the Post Office and its supplier Fujitsu.
It is good to see that the victims of this miscarriage of justice are finally being listened to and reparations and apologies being made. However, we can’t help but wonder how it ever got to this stage. More than two decades of obfuscation and denial has resulted in many people suffering unnecessarily. Leading us to ask: what was it about this IT partnership that led to such catastrophic results for so many people?
The roots of the scandal, of course, lie in the technical failure. As early as 1998 – prior to start of the rollout at the Post Office, Horizon’s problems were already well known inside Fujitsu. A developer who worked at Fujitsu between 1998 and 2000 told Computer Weekly that the IT company allowed the system to be rolled out despite being told it was not fit for purpose.
The developer reporting how it had gone through the test labs many times and “the testers were raising bugs by the thousands.” They said the system was built with “no design documents, no test documents, no peer reviews, no code reviews, no coding standards.”
Furthermore, the developer said, “No one on the team had a computer science degree or any degree-level qualifications in the right field. They might have had lower-level qualifications or certifications, but none of them had any experience in big development projects.”
The output, predictably, was a system that was not fit for purpose.
Why, then, we have to ask ourselves, were Fujitsu bosses so keen to rollout a system which they knew was not fit for purpose? Perhaps it was because, at the time, the rollout was the biggest non-military IT project in Europe. No one inside Fujitsu wanted to see it fail – even if this meant ignoring issues that needed to be addressed. No one was willing to pull the plug – even though it needed to be pulled.
For the 700 postmasters who were prosecuted, that decision was disastrous. The Horizon system had been put in place to replace traditional paper-based accounting practices. Without the chain of evidence created by those paper-based accounting methods, it was impossible for many sub-postmasters to prove that the system losses were not their fault.
Worse, when they were able to prove the system was at fault, they were silenced. Computer Weekly reported the case of a sub-postmaster in Lancashire who, in 2003, appointed an expert IT witness in her defence. When she blamed the Horizon system for the shortfalls at her branch, she was paid off and forced to sign a non-disclosure agreement.
This culture of secrecy and denial led to lives being lost and untold pain and financial hardship for many hundreds of people.
It wasn’t just Fujitsu that turned a blind eye to the problems.
Paula Vennells, CEO of the Post Office Ltd between 2012 and 2019 – a period through which the scandal continued to drag on – gave evidence to the Business, Energy and Industrial Strategy Select Committee in June 2020. She said, “The message that the Board and I were consistently given by Fujitsu, from the highest levels of the company, was that while, like any IT system, Horizon was not perfect and had a limited lifespan, it was fundamentally sound. I believed it was reasonable for the Board to rely on these assurances: Fujitsu was a respected, global IT company, it had many other governmental and high-profile customers, and from my experience of working with Fujitsu it appeared to be well-led and professional.”
How did these surface assurances outweigh the growing body of evidence that was mounting up against the efficacy and accuracy of the system?
The Institute for Government suggests the nature of public sector contracts can account for some of the “human decisions behind the ‘technical’ failures”. It argues that public bodies tend to employ fewer people, with less experience and seniority to manage large contracts than their private sector counterparts, which makes it harder to properly hold suppliers to account. However, without proper scrutiny, problems can persist for many years. Because these systems can’t easily be turned off – because services can grind to a halt without them – contracts can be extended simply because there is no viable alternative.
The Institute for Government emphasises that “civil servants should not outsource their personal judgement to fallible structures of accountability and oversight”.
This advice holds equally true for anyone responsible for awarding or managing a contract. Processes can fail – so complaints need to be properly investigated.
The Institute of Directors goes further, arguing the Post Office board appeared to lack the ability to exercise informed, independent judgement over the functioning of a key IT system. It emphasises, “the weak governance of technology can pose existential risks for an organisation, especially if it takes place in an environment in which board members are either unwilling or unable to grasp the full implications of their legal duty to promote the best interests of the company.”
It’s clear that outsourcing can’t be a “one and done” decision. The relationship must be managed, lines of regular, transparent communication established and good governance practices put in place.
So how do you choose an IT partner to deliver a major project? How can you avoid the mistakes that led to this scandal?
First, the supplier needs to be able to demonstrate competency. During selection and due diligence, you can ask for details about the people who will be delivering the project. Do they have the right skills and certifications? Do they have experience of delivering projects of a similar scale and complexity with the same technology?
Any supplier should also be willing to talk about methodology and processes. What methodology is employed to deliver projects? How do they ensure the efficacy of solutions, system accuracy, cyber security, data governance, knowledge sharing and successful delivery?
You should also ask the supplier to demonstrate the business competency in delivering projects of a similar scale and complexity with the same technology. This may not always be possible, of course – someone has to be first, after all. However, if there is a huge gap between existing experience and the proposed project, you should exercise caution – especially if the project is as fundamental to operational performance as Horizon was for the Post Office.
Culture and communication should also be clearly discussed. What happens if there are problems or complaints? How will they be followed up? What processes are in place? How will issues be communicated? To whom? With what regularity?
We all understand that technical projects sometimes encounter problems. If the supplier can provide testimonials from its customers about how problems have been successfully (and rapidly) addressed then this is a good sign. The desire to sweep issues under the carpet, however tempting, isn’t good business sense in the long term.
The culture of the business is important. A business that places great emphasis on clear, open and regular communication – internally and with its clients – would have never rolled out a system that was not fit for purpose in the first place.
Then there are the internal processes you need to put in place as a consumer of IT services. How will you manage the relationship? How will you respond to and escalate complaints? How regularly will you review performance? What will these reviews look like?
A good IT partner will help you to establish all of these facts before you sign with them. They will insist upon it. It might mean more work upfront, but it will make for a better decision, a better relationship and better outcomes.
If you’d like to partner with an IT support company that prioritises quality, excellent support and clear, open communication, we’re here for you.
Get in touch with the Grant McGregor team.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
Further reading
You can find more ideas, insights and advice on the Grant McGregor blog:
• Should your organisation be leasing your IT hardware?
• 10 signs it's time to get a new IT support company
• The biggest tech stories of 2023: Our recap of a game-changing year
• Is dark data killing the planet?
• How should risk managers address cyber risk?
• Is your organisation doing enough on supply chain security?
• How to minimise the risk from phishing
• How to pick the right IT support company for your business
• How much do you need to understand your business IT to change your IT support supplier?