On behalf of the Government, Statskontoret (the Swedish Agency for Public Management) has reviewed the National Police Board's steering of IT activities. The assignment has included an investigation of whether this steering has been organised in an appropriate manner, whether responsibility for measures and decisions is clearly linked to roles in the organisation and how skills issues are managed in order to support an effective steering of IT. Another part of the assignment was to describe how internal and external factors of influence are dealt with in the Police Service's steering of IT activities. A further part of the assignment was to assess whether the selected model for steering, monitoring and control is functioning satisfactorily and being used as intended. Statskontoret's assignment has been carried out in accordance with the Agency Analysis Model.
The National Police Board's IT activities are extensive. In 2013, the IT budget covers around SEK 1.3 billion, that is, 5 per cent of the appropriation to the Police Service. In recent years, the National Police Board has implemented an extensive investment in IT activities, where an increasingly large share of the budget has been allocated to the development of new IT support systems. The development budget is about SEK 450 million, and the budget for operations and administration is about SEK 900 million. An IT strategy adopted in 2009 has been the starting point for this investment. Statskontoret has based its review on this IT strategy and its implementation.
The IT strategy has been too ambitious
The National Police Board has a number of policy documents in place, arranged in a clear chain of governance that has its basis in the IT strategy. In practice, however, the IT strategy has only had a limited impact on the development of IT activities. The main reason for this is that the IT strategy has been far too extensive in relation to the National Police Board's capacity to deliver fully developed IT support systems. The work to prioritise among various initiatives has not been effective, and there has not been scope to manage new needs and requirements, such as new EU Directives. The policy documents, such as the IT Action Plan, have not been updated in line with changes to the steering models.
Overall, the National Police Board is far from achieving the goals that according to the IT strategy are to be achieved no later than 2015.
The general organisation has led to delays and difficulties in prioritising
Over the past year, the IT organisation has been repeatedly altered, partly as an adaptation to enable focus on the activities needed to prepare the Police Service for the merger of the police authorities and the National Police Board on 1 January 2015.
Until the end of May 2013, the IT staff had responsibility for the coherence of the IT strategy. We have established that much criticism has been levelled at this IT staff, in part due to its insufficient adoption of the activities' perspective. It has also appeared to have been incapable of prioritising among the development options.
We have also noted that the National Police Board has been largely characterised by a decision-making procedure that is deficient due to questions of culture. This has led to an excessive degree of requests for negotiated solutions in IT activities, both at a general level and in individual projects. Moreover, on many occasions, problems have been escalated within the organisation. This has made it necessary for a large number of cases to be decided by management personnel, who cannot be expected to have detailed knowledge of what their decisions entail.
Parallel steering processes hinder consensus and efficiency
In its development of activities, the National Police Board applies a number of different steering processes. Some of these have been described by various functions within the National Police Board as excessively complicated to administrate and have therefore been supplemented by others, without any clarification of the interface design between these processes.
The National Police Board has chosen to pursue the development process in four separate steps: needs analysis, development, introduction and acceptance. These steps are performed without any requirements regarding how the skills transfer will take place between the different steps. There is no explicit role in the organisation to keep the process integrated from beginning to end.
Development funds have been reallocated between projects due to deficient budget planning
The IT budget as a whole has not been exceeded since the IT investment began, but when the budgets of individual projects have not been kept, reallocations between projects have been negotiated. One reason for individual project budgets not being kept is that all the projects were budgeted for a low-cost scenario. Overshooting the budget has rarely led to any other consequences for the projects, and so there has been little incentive to keep the budget. Projects exceeding the budget have not been stopped since the National Police Board has determined that investments are often already far too great to do so.
Several concurrent factors have led to difficulties in customising new IT support systems to the needs of activities
The needs of the Police Service are great with respect to IT support systems, which is partly explained by the many different parts of police activities. Activities are also run in different ways, which according to the National Police Board has been aggravated by the small scope of the mandate to steer the police authorities in the current form of organisation. The conditions for the Police Service to work in a similar way will increase with the establishment of the integrated Police Authority on 1 January 2015. However, the fact that the activities function differently has so far led to difficulties for the National Police Board to customise the IT support systems, which has often resulted in delays to the development work. The National Police Board also states that it is difficult to acquire skilled personnel who do not only know how the activities function at their own police authority.
The difficulties in prioritising have also led to several new IT systems not being delivered on time, which means that police authorities have largely been forced to use outdated systems.
The need for skills has largely been met by means of consultants
The National Police Board has actively pursued skills provision, but the results have varied. For example, it has sometimes been difficult to recruit on competitive terms and to re-train employees internally. For this reason, the National Police Board's need to use consultants is great. The National Police Board has managed this by signing an agreement with a co-sourcing partner, which among other things should have simplified the procurement process. Through the co-sourcing partner, the National Police Board has at relatively short notice gained access to external skills in the form of consultants and outsourcing options. This also places demands on good supplier management.
A great dependence on consultancy has led to consultants holding a number of key positions within the National Police Board. The National Police Board has taken certain measures to reduce its dependence on consultancy in the project activities. However, there are consultants who have held such positions for a long time, which is a sign that sufficient measures have not been taken to reduce the dependence on consultancy in key positions.
Risks have not been dealt with to a sufficient extent
The National Police Board identifies risks in IT activities at several levels, especially in the projects. However, it is not clear to the same extent how these identified risks have been managed. In several cases, there are signs that the risks have not been managed. For example, risks with regard to skills provision and the dependence between various development projects have not been adequately managed.
When the Police Data Act (2010:361) entered into force in March 2012, the Swedish Parliament allowed the Police Service to apply certain transitional provisions until January 2015. The motive was to give the National Police Board time to implement necessary customisations in the data systems. However, the National Police Board has not been able to fully deliver these customisations due to delays in the development of new IT support systems and requested an extension of the transitional provisions in October 2013.
The National Police Board has also suffered delays on several occasions due to the formal security requirements not having been dealt with in the development of new or customised IT support systems. These may, for example, relate to requirements to log activities in the IT support system. Among the causes of the deficient security analysis are the inadequate definition of requirements and the gaps in knowledge about how the security levels affect system requirements.
Several measures are necessary
Statskontoret's report indicates a number of measures that may improve the conditions for the future steering of IT activities.
- The Police Service should also establish a strategic decision-making process which includes decisions on goals and an improved ability to decide on priorities. A process of this kind should include the ability to manage a multi-year planning cycle and the enablement of continuous review.
- A common model for the development of activities must be established and implemented. All steering models should be established and documented so as to enable their uniform application both by the personnel in various branches of activities and by consultants.
- The Police Service is in need of strengthening supplier management by developing the skills of its own employees in order to secure the ability to manage consultants and external suppliers. The Police Service should, in this context, re-investigate what should be managed internally and what should be managed by consultants.
- The Police Service should develop its work to deal with the identified risks. There is also a need for greater identification of risks that are due to project dependencies. The transparency of the risk management process should increase.