Independent IT review

The other aspect of holistic thinking relates to the lifecycle of data which encompasses the stages of data creation or collection, storage, usage, sharing or distribution, maintenance, archiving, and disposal. It begins with data generation from various sources, followed by its storage in databases or data warehouses. The data is then used for analysis, reporting, and decision-making. It may be shared with other systems or users and is regularly updated and validated to maintain accuracy. Data that is no longer actively used is archived for historical or compliance reasons, and eventually, data that is no longer needed is securely disposed of to prevent recovery.

With both of these perspectives the consequences of a change within one part of the ecosystem on its other parts needs to be understood and governed effectively, throughout design, development, testing and operations.

Two recommendations are made with respect to change governance:

4.3.2. Involving users – a new culture

A regular concern raised in almost all interviews is that stakeholder engagement was poor, exemplified by this quote from an interviewee to this IIR:

“CQC’s ways of working, processes, policies, regulations etc were not understood by the designers or builders of RP”.

Coupled with the behaviours described above this has led to a severe erosion of trust. There is an immediate need to rebuild trust and involve end users (and their representatives) effectively.

The method for this will be dependent on the emergent ‘the CQC Way – building a positive culture through collective responsibility and engagement’. However, making certain assumptions about how the culture will develop and cross referencing with best practice (ITILv4 principles Appendix 7) the following principles, in particular, should guide the engagement philosophy:

Focus on Value: Understand and prioritize what the customer values. Every action should contribute to delivering value to customers.

Progress Iteratively with Feedback: Implement changes in small, manageable steps with feedback at each stage to ensure alignment with goals.

Collaborate and Promote Visibility: Encourage collaboration across departments and promote transparency to improve decision-making and outcomes.

Think and Work Holistically: Consider the complete picture rather than isolated components. Systems thinking helps in understanding interdependencies and impacts.

It is recommended that:

The SECPs (MSP provides guidance on the purpose and contents of such plans (appendix 8)) must include, as a minimum being transparent about challenges and involving people in priority setting (section 4.3.4), application design, testing and decision-making (e.g. about release and deployment).

As per the learning summary of the Ratings and Register workstream [x] (subgroup of the recovery Programme) the tendency is for users to be defined only as the “people who collect the data with providers and are the users of the ‘apps’ in regulatory platform”. Effort must be made to broaden the definition of user to include the “downstream users of the data”.

It is recommended that:

4.3.3. A Data First Culture

The CQC should develop a policy position that recognises itself as a Data Business and lead a cultural change to promote the vital role that data plays in the execution of its purpose. This policy position then naturally leads on to the creation of a Data Strategy for the organisation in line with GDS¹ (section 4.5.2).

It is recommended that

4.3.4. Prioritisation method

With hundreds of items of fixes, changes, descoped requirements etc., in the workload backlog from the full range of the user community (noting the new definition above), and the inevitable frustration that this causes, an overt prioritisation method needs to be established in line with the ITIL principle Collaborate and Promote Visibility.

The aforementioned SECP should define which stakeholders are consulted in the creation of this method, and once drafted, this method needs to be signed off by the RP Programme Board and then communicated widely with the entire staff base at the CQC.

Decisions made using this prioritisation method should be made public likewise progress against agreed priorities. Kanban Boards can be a simple way to display workloads of different teams, these are in use within the technical teams (hosted in the Azure Devops environment), but they are not currently visible to staff outside of TDI (or written in a way that would be helpful for that audience).

In the short-term there will be many “moving parts” to the RP which will influence the priorities:

• Some fixes and issues will go into the design of the two main Apps (Registration and Assessment) that are to be re-written.
• Some will be put on hold because they will be obviated by a planned change to the CQC operating model.
• Some may be promoted as a result of priority setting by stakeholder engagement groups (emerging from the SECPs)

The medium-term work requires a more strategic approach to priority setting as a new operating model (TOM) is established and SVCs are mapped (section 4.5.1). The Theory of Constraints (TOC) (appendix 16) is a valuable concept here to help priority setting. Using a TOC approach, it is counterproductive (in terms of increasing value to your customers) to improve any aspect of the SVC except the constraint.

In simple terms every SVC will have a constraint (step in the process, certain resource etc) that sets the pace for the entire chain. The idea is to ensure that the constraint is always working at its maximum capacity, as it determines the overall throughput of the chain. If work is undertaken to improve the efficiency of a step before the constraint it will just increase Work in Progress (WIP) queued up at the constraint which is referred to as the “silent killer” (increases costs, complexity and confusion); efficiency improves after the constraint merely lead to that step being “starved” of work. No matter how efficient the downstream processes are, the overall throughput cannot exceed the capacity of the constraint.

It is recommended that:

4.3.5. Internal staff skills and capacity

The in-house skills to build and test D365 developments have been growing over the last two years, as evidenced by the in-house creation of the Assessment-lite app using D365 in the Technology Teams and the various data engineering successes between RP and EDP within the Data and Insights Teams.

It is viable, in the author’s experience to take on the redevelopment of RP and its associated data flows in house and hence avoid the aforementioned difficulties encountered with contingent labour and externally supplied expertise.

This is recommended with the following conditions/safeguards:

• Staff salaries must be competitive/attractive, and it is recommended that a benchmarking exercise be undertaken for the key roles associated with IT specification, development and testing. The current Recruitment and Retention Allowance for staff appears not to be effective in enabling the necessary move from contractor to substantive labour.
• Continuous professional development be funded and managed so that all aforementioned roles are skilled and knowledgeable to work at the top of their license.

• The services of an external D365 Expert organisation be procured to provide guidance, assurance, expert escalation services, regular health checks and audits. It is recommended that this is an open procurement rather than an extension of any existing relationship.
• The capacity of the internal teams be increased and the existing relationship with fixed term/contingent labour be phased out.

Naturally these recommendations should be worked up as a formal case for the ET to consider. It has not been possible within the constraints of this IIR to work up any further details on this proposal and hence it is recommended that:

4.3.6. Role clarity

Throughout this investigation, comments were made about a variety of situations where staff roles have been unclear (particularly between contingent and substantive staff), leading to duplication of effort or omission of duties and general poorly job satisfaction. An example of this was described above (section 3.7.5.1) relating to the relationship between the Technical Training Team and the Super Users.

The best practice method to achieve role clarity within programmes and services is the RACI matrix (Responsible, Accountable, Consulted, Informed). Appendix 14 provides detailed guidance on the creation of a RACI matrix.

It is recommended that

4.3.7. Safe handover

Given that the programme has been severely affected by contingent labour and the comings and goings of various external suppliers, there is an immediate need to safeguard the knowledge of how the RP was built.

It is recommended that

4.3.8. Standard methodologies based on best practice

In discussions with the PMO, it was reported that there is work underway to standardise the CQC’s Project and Programme Management (PPM) and Business Case disciplines in line with the central government recommendations, which are Prince2, AgilePM, MSP, ITILv4, and the three-stage, five-case business case model (as described above).

It is recommended that

4.3.9. Keeping it simple

The applications within the RP are immensely complicated. This has, in part has been caused by the policy positions taken during the organisational transformation programme (e.g. the establishment of over 90 Assessment Service Groups and the creation of Evidence Categories). Maintaining such a complicated suite of processes and hence application configuration and training staff in their use brings a heavy cost and management overhead. Using two of the ITIL principles (Keep it Simple and Practical; Focus on Value), as the CQC moves forward with policy refresh, process redesign and application reconfiguration it must seek every opportunity to keep processes as simple as possible and focus on the value the activities bring to stakeholders being prepared to sacrifice some fringe value if it drives complexity which is not practicably implementable.

It is recommended that

4.4. Short term immediate action

A consensus is emerging about the immediate fixes that need to be implemented to ensure that the CQC’s basic operational processes are “Safe and Stable”. The recommendations below reflect the recently presented (All colleague call (9,10 Jan 2024)) immediate actions, proposing technical and governance approaches.

4.4.1. Assessment Application

Workshops were held during Autumn 2024 with operational staff, legal, equality networks, trade unions, tech colleagues, and data and insights teams to identify core business requirements for a new version of the Assessment App branded as Assessment Lite.

The new app has been developed with inhouse D365 skills based on these requirements and is currently in the UAT phase. It is recognised as a simple version of Assessment process and acts as an MVP. It has received positive feedback from end users. It needs some technical tweaks but is generally stable. It addresses the known issues in the RP Assessment App (e.g., character count limitations, scoring at the evidence category level, uploading of documents, etc.) and resolves the vast majority of the 47 issues that have been documented (Appendix 15).

As it is a separate App (with its own database) that will be connected to RP it has (if it is adopted) started the movement to a microservices based architecture (section 4.2.1).

In line with the MVP concept, it will need considerable ongoing development to enable it to support the entire assessment process end-to-end for all sectors, including more complex ones like acute trusts and mental health trusts.

This work would be best governed by a formal project using the Agile PM management methodology, within the programme to mend RP. This must be managed in line with the ITIL principle of Progress iteratively with feedback.

It is recommended that

4.4.2. Publishing Reports

There is an urgent need to resolve the assessments and hence reports which are “stuck” in the RP system. The root causes of why assessments get stuck are a combination of poor programming of the system, where there are 'dead ends,' and a lack of understanding of how to use the system optimally as a result of its complexity. The CQC has a very effective Apps Support team, within the Service Delivery function who are able to investigate where the assessments are stuck and resolve the issues. The recommendation that this report would make for the existing “stuck” assessments is already being enacted – i.e. assign a senior leader to manage a Task and Finish group to investigate each assessment in this position and resolve it.

The two workarounds described earlier (section 2.8) are being implemented (Hybrid approach already live, Off Platform LAPS due to go live within the next few weeks) to prevent more assessments and reports becoming stuck.

It is recommended that:

4.4.3. Notifications processes

Given the serious incident where 20,000 Notifications went unprocessed for up to a year, there is an urgent need for effective management oversight of the Notification process to provide assurance that the status of each Notification is understood, and escalations managed as necessary. Given the multi-channel and uncontrolled way (e.g. old versions of document templates, multiple notifications bundled into one email attachment, etc.) in which providers are currently (section 2.3) able to submit legal Notifications it is impractical to write data collection and reporting tools to provide oversight of such complexity and as such the CQC is living with considerable risk in this area.

There are many public sector precedents of compelling customers to use the correct templated form/a web portal – e.g. Self-Assessment Tax returns, renewing car road tax, applying for a passport renewal etc.

Using the principle of Keep it Simple and Practical it is recommended that

This will require a management of change exercise with providers who will need to be given sufficient notice and support to make this change. This should be preceded with an engagement exercise with Providers to test the feasibility of this recommendation and to flush out edge cases for which it is impossible for providers to comply against which a small number of exceptions may need to be granted. During the engagement exercise the CQC should test the feasibility of simplifying the ownership of the Notification -i.e. making it clear, via messaging on the PP (at the point of form submission) that whoever submits the form, whether a single account or group account, they are doing so under the authority of the accounting officer of the provider.

It is further recommended that

4.4.4. Registration Application

A view has been expressed that Registration should remain on the legacy CRM solution for the medium term (perhaps for the next year), rejecting the process automation that was built into RP for Registration and ensuring the team is right sized to manage this process effectively while attention is focused on fixing the other aspects of the CQC's core process that reside on RP. A counter view has been put forward that due to its interdependency with the other aspects of the process and the errors that have occurred (section 2.9) it should be reintegrated onto RP as soon as possible. This report recommends that a Registration project is established as part of the mending RP programme with the aim of creating a Registration App within D365 as a microservice.

It is recommended that:

4.5. Medium Term/Foundation Improvements

The recommendations in the category are not intended to signal that they should be started in a later phase of the RP mend programme but that they will inevitably take longer to implement. It is recommended that work in the Medium Term/Foundation Improvements starts immediately.

4.5.1. The Target Operating Model and business process maturity

As described above (section 3.4), it is impossible to build an effective enabling technical solution to support a suite of business processes if the latter are immature (as defined by BPMM (appendix 2). These processes form part of the TOM along with other considerations (e.g., organisation, information, people, and governance). (Appendix 10) shows more details on a TOM). This has been referred to internally at the CQC as the “regulatory approach”.

Whilst certain urgent fixes can and must be made to the RP it will be impossible to run the CQC business processes on RP (and hence retire legacy systems) until the TOM and crucially its business processes mature to a level where they are effective, fully documented agreed by all stakeholders and capable of being managed (i.e. all staff are coached to achieve them as “standard work”).

As such, it is recommended that the organisation urgently embarks on a programme to develop, confirm, reinvigorate, and manage user adoption to its TOM, starting with the re-examination of the viability of the SAF methodologies and the policies which underpin it (e.g., algorithm-based scoring versus professional judgement, the use, or not, of Evidence Categories). Once agreement is reached about the policy positions, business processes need to be developed to BPPM maturity level 4. It is acknowledged that some of these processes will be capable of being operationalised now given the existing combination of CRM, off line working and RP functionality. Others will have to be in a theoretical “To Be” status until the technology “catches up” but as much testing of these as possible should be undertaken to provide assurance that they are practicable.

The principle of Focus on Value should be adopted as the TOM is redeveloped. Whilst this may sound obvious, it can be very challenging to do in practice as the first question is “Value for whom?”, given the large number of stakeholders that the CQC serves. A couple of examples are shown below to illustrate value in the perspective of different stakeholders:

New provider: It has been stated that the value for a new entrant to the care market is not just a registration certificate but also the outcome of their first inspection that provides them a rating. This perspective may alter the current structure where Registrations are managed separately from Assessments and the technology is built in separate applications.

Existing Provider: In the author's experience, when a provider receives a down rating of Inadequate or Requires Improvement, potentially following a CQC risk assessment as a result of Contacts with the public or statutory Notifications, they may feel that they have let the public down. They are required (quite correctly) to publicise (website, posters, banners) the rating and will do everything in their power to implement the necessary changes as quickly as possible and ensure that they are sustainable. They then need the re-inspection to take place urgently to validate the improvement work and reinstate their position with the public (to Good or Outstanding).

As such, the time between the completion of the remedial work and the re-inspection is a critical success factor from the perspective of a provider in this position. Arguably this is also true of the members of the public that the provider serves who may be taking decisions (i.e. whether to access care or not) based on an out-of-date rating. Examples can be found where the remedial work was completed more than 2 years ago, and the rating has not yet changed.

Once value propositions are known, then the chain of events that creates that value can be described (the Service Value Chain). It is likely that the CQC has a number of SVCs but relatively small in comparison to, say, an acute hospital.

In relation to the two examples above, a very simplistic view of the SVCs follows: New provider SVC: Registration >> Assessment/Inspection

Existing Provider SVC: Contact/Notifications >>Assessment/Inspection>> (possible)Enforcement>> Assessment/Inspection.

Detailed SVC mapping and analysis then enable prioritisation of work by using the concept of TOC (Appendix 16), as described in section 4.3.4.

Effective business process design should involve co-production with key stakeholders, including internal colleagues and external partners such as providers, NHS England, and DHSC. This collaborative approach ensures that the processes are well-informed and widely accepted.

This is a large undertaking and is likely to take months. However, the CQC is not starting from scratch – Process Libraries and Knowledge Banks exist on the CQC intranet with dozens of process and sub process diagrams. The organization has capable people who can lead and facilitate the necessary changes in business process design and has successfully undertaken similar initiatives in the past, such as the development of the five key questions methodology. These individuals have the skills and experience needed to undertake this work effectively. While the capability exists, there is a need for strong leadership and facilitation to guide and support these efforts. This includes providing direction, resources, and support to ensure successful outcomes.

It is recommended that:

4.5.2. A Data and Reporting Strategy

To support a Data First culture, it is recommended that:

This strategy will, at a minimum:

Review and then confirm the target reporting architecture and develop a fully funded roadmap to progress to this status. This is expected to restate the retirement of a legacy data warehouse recognizing this covers over 100 external datasets a developing/procuring a more robust method of integrating qualitative data.

Develop a governance model (similar to a scheme of delegation for financial control) that assigns ownership of data domains and their component subject areas to appropriate senior staff throughout the CQC who will then be expected to implement the appropriate controls to ensure the full data lifecycle (section 4.3.1.2) is managed. This governance model should create/reinforce cross functional teams that include technology, data and business areas that have ownership of a particular aspect for the system/service. For example, a Registration team/teams made up of users, engineers who can develop the tech, data experts who can understand the data implications, testers etc- who own the end-to-end Registration flow and continue to develop it over time.

Define the approach to data quality reporting which provides an accountability framework to underpin the data governance model.

Restate the way data changes are governed in an integrated approach (as per change control, section 4.3.1.2).

State the strategic intent to change the resourcing model from a heavy reliance on external or contingent labour to appropriately skilled inhouse substantive workforce, right sized for the agreed pace of the strategy.

Analyse the nature of Technology Data and Insight workforce constraints (e.g. reliance on single “points of brilliance”) and supplement them where possible using the TOC approach (appendix 16).

Recognize that the self-build and self-run approach taken for RP necessitates a significant ongoing financial investment which requires an uplift in internal digital capabilities to ensure the Service Operation and Continual Service Improvement phases of the Service Lifecycle are properly established and skilled. This is reinforced by the UK Gov Functional Standard for Digital which mandates the CQC to adhere to the service standard: “through all phases of the service life cycle”.