Independent IT review

Published: 26 March 2025 Page last updated: 26 March 2025

Downloads

5. Summary

From 2019 to 2024, the CQC undertook a transformation of its core IT system from a legacy Customer Relationship Management (CRM) system, to an enhanced bespoke cloud-based application based on the Microsoft Dynamics 365 (D365) platform that aimed to replace the legacy CRM functionality and enhance it with Enterprise Resource Planning (ERP) functionality. The industry definitions of these two terms are in Appendix 12. This was undertaken alongside an organisational transformation that aimed to move the CQC to a fundamentally new operating model to support a transformed regulatory approach.

The root cause of the IT failure is a failed organisational transformation. Some interviewees have proposed that the transformation was too ambitious, in attempting to change too many things at once (core processes, organisational structures, roles and underpinning technology) but there are many examples of successful such changes in other organisations and industries (University of Bath, 2015)[xi]. Indeed, an argument can be made that, when embarking on a fundamental change to its core processes, an organisation doesn’t have a choice but to change all the other aspects (structures, roles, technology) in concert given that all work takes place as a combination of people, processes and technology (PPT)[2]. This is recognised in best practice as the creation of a TOM (Appendix 10). Seemingly, the CQC’s attempts to create a TOM to articulate how the new Regulatory approach would work in practice, have not been accepted by the organisation.

The SAF has become a convenient simplistic label for what went wrong in the organisational change programme. It is more accurate to say that the organisational decisions taken around the methodology of delivering the SAF and executing this with a technical solution are where the problems occurred (e.g. scoring methods, evidence categorisation). This point is reinforced by the fact that staff are undertaking assessments using the SAF off-platform and it is working quite well.

3 years after the launch of the SAF, elements of it are variably applied in practise (e.g. automatic assessment scoring requiring manual moderation), some policies (e.g. evidence category scoring) have been reverted to a transformation approach and other policies (e.g. restricting the volume of provider-supplied documentation) have proved to be unworkable.

When an organization transformation fails the IT will also fail, as it exists to enable/underpin the core processes being transformed. If the core processes are unclear or unstable, designing the technology will be like trying to hit a moving target. The IT is a very visible, tangible artifact of this failure and is causing daily harm to the organisation’s mission and its people, but this report argues it is not the underlying root cause.

The technology-based change programme (RP and then RT) also had major failings along the whole Service Lifecycle. There were many flaws in the OBC and FBC that created a difficult context for the programme to be effective. The Design and Transition phases of the lifecycle were hampered by unrealistic timescales (established in the business cases) and a dominance of contingent labour that could not fully understand the CQC’s existing or intended operating model. Some technical mistakes were made in the software build process, and UAT was constrained to the point that poor software was released into the live environment on a number of occasions.

This strategic IT solution can be built using the existing platform, D365, which is independently recognised as a robust, flexible and scalable solution capable of achieving CRM/ERP functionality and used by hundreds of thousands of organizations worldwide for this purpose. It is recommended that the emerging in-house capabilities to build and support D365 applications be strengthened to enable this strategy to be executed without reliance on external and contingent staff. This core recommendation is underpinned by several other supporting proposals.

Many short-term IT changes need to take place urgently to address the immediate pain that staff are feeling, and these will be recommended. However, the most fundamental recommendation is that the CQC re-establish an effective TOM, which is acceptable to its staff, embraces their collective deep expertise, and leads its implementation appropriately. In parallel with this the CQC should develop a Data-First culture and enabling strategy to promote data as a strategic asset.

This report makes 23 recommendations to help the CQC move forward. These are repeated below:

  • Recommendation 1. The CQC retains D365 as a strategic asset and continues to mend RP on this platform.
  • Recommendation 2. The RP programme gradually, as apps are redeveloped, adopts a microservices architecture for the platform being careful to maintain a holistic view of the CQCs SVCs and Data/Reporting architecture.
  • Recommendation 3. The CQC formally stands up a programme to mend the RP is established using MSP best practice and that anyone assigned to serve on the programme board is trained to MSP practitioner level
  • Recommendation 4. The Terms of Reference of the 3 levels of change control be reviewed against the best practice requirements (as listed in section 4.3.1.1), in particular to ensure strategic alignment is executed, which will necessitate broadening the membership beyond TDI staff.
  • Recommendation 5. The change control mechanisms should operate within the principle of Think and Work Holistically (Appendix 7) to ensure an enterprise wide, end to end service approach (recognising the interconnectedness of data throughout the CQCs SVCs) is taken.
  • Recommendation 6. A staff reference group is established with representatives from all the recognised staff networks (e.g. Carers Equality Network, Disability Equality Network, Gender Equality Network, Race Equality Network, LBGT+ Equality Network, Staff Forum, etc) and a cross section of the organisations tasked with creating Stakeholder Engagement and Communications Plans (SECP) relating to each aspect of the RP programme. The whole organisation is consulted on the SECPs and once agreed active participation should be nurtured.
  • Recommendation 7. When engaging end users the definition of user is broadened to include the “downstream users” of the data.
  • Recommendation 8.As part of the CQC Way, the CQC develops a culture that views data with the same importance as public money, i.e. as a critical currency to govern effectively with appropriate training for all staff and an accountability framework for the quality and control of data commensurate with the financial scheme of delegation.
  • Recommendation 9. An overt prioritisation method is developed in line with the SECPs. In the short term this will focus on reducing the worst of the pain points that are experienced by the staff of the CQC and enable it to fulfil its purpose.
  • Recommendation 10. In the medium term, once the SVCs are mapped the prioritisation method should be guided by the TOC concepts to maximise value delivered to CQCs customers.
  • Recommendation 11. A business case is developed to augment the internal staff capacity and skills to enable an inhouse development the CQC’s data and reporting requirements and RP application.
  • Recommendation 12. The services of an external D365 expert be engaged to provide assurance activities.
  • Recommendation 13. The RACI matrix approach is used extensively to clarify roles with the programme, project and ongoing service management of RP.
  • Recommendation 14. The CQC assign or employ a dedicated IT Librarian to find all the relevant RP documentation, organise it, reference it, make it available to an appropriate stakeholders as necessary in accordance with the ITIL Knowledge Management process (appendix 9). This will involve working closely with external suppliers.
  • Recommendation 15. Executive sponsorship is provided to support a cultural change to ensure the CQC adopts of best practice standards and methods. As a minimum the scope should include project (Prince 2, AgilePM), programme (MSP), IT service management (ITIL), business case (BBC) and technical standards (e.g. Examination and Assessment (EXA), GDS).
  • Recommendation 16. All policy and process redesign attempts aim to reduce complexity as much as possible by using the principles of Keep it Simple and Practical; Focus on Value.
  • Recommendation 17. Assessment Lite (a microservice built using D365 by an inhouse capability) is recognised as a formal project within the RP mend programme. This project is managed using AgilePM methodology.
  • Recommendation 18. The CQC should recognise that the two approved workarounds (Hybrid, Off Platform LAPS) may have unintended consequences (as they introduce more system complexity) and will make the management oversight difficult (as they were designed without a Data-First approach). They should be documented carefully and managed as standard work for the short term until the assessment App is rebuilt.
  • Recommendation 19. The CQC mandates a single method (via the PP) for providers to submit Notifications.
  • Recommendation 20. The CQC tests the feasibility of simplifying the provider ownership of Notifications.
  • Recommendation 21. The registration app is rewritten in house as a microservice built using D365. This is recognised as a formal project within the RP mend programme and managed using AgilePM methodology.
  • Recommendation 22. The CQC urgently embarks on a programme to develop/confirm/reinvigorate and manage user adoption to, its TOM. This work is guided by the principle Focus on Value. SVCs that run through this TOM are developed and a TOC approach is taken to understand and then manage the constraints within the SVCs. Staff training in TOM, SVCs and TOC is provided as necessary.
  • Recommendation 23. The CQC develops a Data and Reporting Strategy line with the recognised Government Functional Standard[i]. External support should be engaged to help the CQC create this strategy.

Notes

i Functional Standard 5 (Digital), S4.2 - Government Functional Standard - GovS 005: Digital

xi landing-transformation-change_2015-gap-theory-practice_tcm18-9050.pdf

2 "People-Process-Technology" (PPT) model is frequently referenced in various fields, including IT service management, business transformation, and organizational development