Independent IT review: executive summary

Conducted for the Care Quality Commission
By Peter Gill

Executive summary

1. Introduction

This is the executive summary of the detailed report following an IT review for the CQC, conducted in December 2024 to January 2025, by an independent IT Consultant.

The Independent IT Review (IIR) was commissioned following the Penny Dash report, which highlighted issues with poorly performing IT systems hampering the CQC’s ability to roll out the Single Assessment Framework (SAF). That report made seven recommendations, including the need to rapidly improve operational performance, fix the Provider Portal (PP) and Regulatory Platform (RP), and improve the quality of reports.

The IIR focuses on the PP and RP IT systems, governed by the Regulatory Transformation programme within an organisational Transformation Portfolio running from 2019 to 2024. The PP is a module of the RP, along with five other major modules. RP has been built on the Microsoft Dynamics 365 platform (D365).

It addresses the following key questions:

1. How and why did the CQC reach a point where the IT solutions (RP) caused significant organisational disruption?
2. Is the IT solution (RP) salvageable based on the current contractual relationship with suppliers and subcontractors?
   • If so, what needs to be done to make the IT solutions (RP), the overall operating model, the programme management, and contractual controls fit for purpose?
   • If not, how should the CQC proceed to build or buy and implement an IT solution that is fit for purpose in the shortest possible time?

The IIR involved detailed conversations with over 100 people from the CQC and its design/delivery partners. Documents were reviewed and cross-referenced with interview content. Best practice documents, legal requirements, and industry standards were used as a guiding framework. Extensive web research supported by Microsoft Copilot assisted in benchmarking the CQC's position with similar organizations.

The report acknowledges the contributions of many people who provided their time and expertise. It praises the CQC staff for their diligence and determination to move forward positively and bring the CQC back to a fully effective and efficient organisation.

2. Where are we now?

2.1. Headline position

The CQC Portfolio Management Office (PMO) report states that the Transformation Portfolio has led to an incomplete implementation of a new organization and business process, ineffectively supported by IT systems.

The Audit Risk and Assurance Committee (ARAC) presentation in September 2024 shows the financial profile of the Regulatory Transformation (RT) Programme. The actual spend to date (December 2024) is £99M, with Whole Life Costs (WLC) rising from £28.4M over 5 years to £145.5M over 10 years in line with an increased programme scope.

Less than 30% of the expected deliverables have been signed off. Significant variations exist between different CQC functional departments, with some achieving 0% and others up to 70%. Key issues include overcomplicated processes in the Assessment app and low adoption of the Provider Portal for Notifications.

Only 5% of the benefits have been achieved, with 27% in progress and 58% lacking a planned timeline. 8% of benefits have been descoped. The savings to date are £0.3M against a plan of over £10M.

2.2. End user experience

Users have reported negative impacts on physical and mental health, and usability issues with the RP, which has been studied by an independent ergonomics consultant. Of the 955 responses to a Health and Safety Survey, 62% of them reported health impacts due to RP.

Since RP was launched there have been a high volume of incidents reported, more than 15,000, reported to the IT Service Desk.

Positive feedback on some aspects of RP, e.g. data capture, automation, visibility, and case management for the users in the National Customer Service Centre (NCSC).

There are practical difficulties for the analytical teams and their customers relating to data quality, extraction, and reporting due to misaligned data models and reliance on legacy systems.

Two workarounds have been deployed: the Hybrid Approach for assessments and the Off Platform Location Assessment Plan (LAP) process for hospital inspections.

Due to poor user experience, the Registration function has reverted to using the legacy system, leading to data consistency issues and challenges in accessing a single source of truth.

3. Why are we here?

3.1. Cultural issues

Data is not seen as a strategic asset, leading to issues with data quality and reporting. The CQC didn’t adopt technical and management standards, leading to unsafe and ineffective programme execution.

There was a heavy reliance on contractors which led to high costs and a lack of continuity. The programme became siloed, hindering collaboration and effective teamwork.

3.2. Service lifecycle

The IT Infrastructure Library (ITIL) service lifecycle is used to analyse the history of the RP Programme and identify what went wrong.

3.3. Service strategy and the business case

The PMO report's headline statement emphasizes the incomplete implementation of a new organization and business process, leading to ineffective IT support. The SAF methodology is not mature, leading to challenges in implementing effective business processes.

The business case is critical for justifying investment and establishing controls. Significant funds were committed based on an Outline Business Case (OBC) which is not best practice. Spending objectives were not specific, measurable, or time bound. Limited options were considered and WLC increased significantly without reappraising options. Risks were not properly allocated or managed.

Benefits were overestimated, and some were missing. The project plan was overly ambitious and did not apply lessons learned. Risks were not fully considered or managed. There was no strategy for data and reporting, leading to issues with data quality and governance.

3.4. Service design

The SAF methodology was still emerging, leading to design changes and rework. The design phase started late, leading to insufficient time for proper design. Executive-driven design choices did not align with user needs, leading to issues with usability and functionality.

3.5. Service transition

Regular descoping of deliverables led to incomplete functionality. Contracts with suppliers were based on Time and Materials (T&M) rather than Fixed Cost (FC), leading to cost overruns. There were issues with the quality of the build and quality assurance processes. User Acceptance Testing (UAT) was insufficient, which led to issues with the deployed system. There were additional issues with training and release and deployment processes.

3.6. Service operation

The Service Operation phase followed typical arrangements but faced high volumes of support calls due to poor user experience and system issues.

3.7. Continual service Improvement

A Service Improvement Programme was established to implement functionality that had been descoped. However, issues with communication and coordination between teams led to further problems.

4. The way forward

4.1. The first order question

The review focuses on whether the IT solution (RP) is salvageable based on the current contractual relationship with suppliers and subcontractors. The RP is salvageable but requires substantial development and rebuilding work. The IIR recommends that this should be done in house with additional support.

4.2. Platform choice and architecture

The D365 platform is considered robust, flexible, scalable, and capable of integration with other products. Migrating to a different platform would incur significant additional costs. The recommendation is to retain D365 and continue mending RP on this platform. RP has been configured as a monolithic structure, which is not ideal. A microservices architecture is recommended for better scalability, resilience, and maintainability.

4.3. Setting up for success

To provide a better chance of success and to learn the lessons from the past, the following recommendations are made:

• Establish a well-coordinated programme to mend RP, using Managing Successful Programmes (MSP) best practice.
• Review and improve change control mechanisms to ensure strategic alignment and a holistic approach.
• Rebuild trust and involve end users effectively through stakeholder engagement and communication plans.
• Develop a culture that views data as a critical asset, with appropriate training and accountability.
• Establish an overt prioritisation method to manage the workload backlog and reduce pain points.
• Augment internal staff capacity and skills to enable in-house redevelopment of RP and data requirements.
• Clarify roles within the programme, project, and ongoing service management, using a best practice approach.
• Assign or employ a dedicated IT Librarian to organize and manage RP documentation.
• Adopt best practice standards and methods for project, programme, and IT service management.
• Aim to reduce complexity in policy and process redesign.

4.4. Short term immediate action

The following immediate actions are recommended:

• Recognize Assessment Lite as a formal project within the RP mend programme, managed using AgilePM methodology.
• Address "stuck" assessments and manage workarounds carefully.
• Mandate a single method for providers to submit Notifications via the PP.
• Establish a project to rewrite the Registration App as a microservice within D365.

4.5. Medium term/foundation Improvements

The following actions are recommended for the medium term:

• Develop and manage user adoption to the Target Operating Model (TOM), focusing on value and using the Theory of Constraints (TOC) approach.
• Develop a Data and Reporting Strategy in line with the Government Functional Standard, with external support. This strategy should include a target reporting architecture, governance model, data quality reporting, and a shift to an in-house workforce.

5. Summary

From 2019 to 2024, the CQC transformed its core IT system from legacy systems to a bespoke cloud-based application on the D365 platform, aiming to enhance Customer Relationship Management (CRM) functionality with Enterprise Resource Planning (ERP) capabilities. This transformation was part of a broader organizational change to a new operating model.

The primary cause of the IT failure was a failed organizational transformation. The attempt to change core processes, structures, roles, and technology simultaneously was ambitious but not unprecedented. The CQC's efforts to create a TOM were not accepted by the organization.

The Single Assessment Framework (SAF) became a simplistic label for the failure. Problems arose from decisions around delivering SAF and implementing it with a technical solution. Despite issues, staff are using SAF off-platform effectively.

When organizational transformation fails, IT also fails as it underpins core processes. Unclear or unstable processes make designing technology like hitting a moving target. The IT issues are a visible artifact of the broader failure.

The RP and RT programmes had major failings across the Service Lifecycle. Unrealistic timescales, reliance on contingent labour, and technical mistakes in the software build process led to poor software releases.

The D365 platform is robust, flexible, and scalable, capable of achieving CRM/ERP functionality. Strengthening in-house capabilities to build and support D365 applications is recommended to reduce reliance on external staff.

Urgent short-term IT changes are needed to address immediate staff pain points and enable the CQC to function effectively. The most fundamental recommendation is to re-establish an effective TOM, embracing staff expertise and leading its implementation. The strategic IT solution should be rebuilt in parallel to be fit for purpose.