Half of three departments’ key risks concern technology
Annual reports of HM Revenue and Customs, Home Office and DWP discuss risks from cyber security, data protection and specific projects
Half of the key risks identified by the Department for Work and Pensions, the Home Office and HM Revenue and Customs in their 2021-22 annual reports involve digital technology and data, compared with just over two-fifths in 2020-21.
In their 2021-22 annual reports published this summer the three organisations identified a total of 28 key risks, 14 of which make reference to digital technology and data. The reports for 2020-21 included a total of 26 key risks, of which 11 referred to technology.
Six of HMRC’s nine strategic risks were linked to technology, compared with five a year ago. It identified the same nine strategic risks both last year and this year, but for 2021-22 said that it was directing significant resources to areas including data protection and cyber security as part of its work to tackle risks on external perception and loss of trust.
HMRC rates the severity of these risks and in 2021-22 all four of those rated red for most severe were technology-focused: security, exploiting information, improving customer experience and data protection. It rated the risks on both security and data protection as high probability and very high impact, the highest among the nine strategic risks identified.
However, HMRC said it was improving in both areas. On security, it has introduced a cyber tactical remediation programme, moved some services away from legacy data centres, introduced a new security incident response tool and overall is aiming to reach “a tolerable position by March 2025”. On data protection, its work has included “considerable deletion” of personal data and it plans to complete business process mapping for specific taxes. In January, chief executive Jim Harra told Civil Service World that improving defences against cybercrime was one of his main aims for 2022.
Six of the Home Office’s 16 key risks in 2021-22 referred to technology, compared with five of the 14 identified a year earlier. Both years’ lists included IT resilience, cyber threats and Covid-19, which was tackled in January 2022, when the department confirmed it will offer hybrid working under as part of its One Home Office transformation programme.
In 2021-22, all three of what the department classed as programme risks concerned technology projects. The risk of failing to deliver the Emergency Services Mobile Communications programme was also in the 2020-21 report, but the department said the programme is making good progress with the full business case approved in July.
Two of this year’s Home Office’s programme risks were new ones. One involved the Digital Services at the Border programme, although the department said progress has been faster than expected on fixed primary control points and eGates. The second focused on whether the National Law Enforcement Data Programme will deliver the Law Enforcement Data System, planned to replace the Police National Computer, within planned timescales.
“The programme remains highly complex with significant internal and external dependencies,” the report noted. In December 2021, Parliament’s Public Accounts Committee said the work continued the department’s “miserable record of exorbitantly expensive digital programmes that fail to deliver”.
Two of the Department for Work and Pensions’ three principal risk themes for 2021-22 had technology links, compared with one in 2020-21. On fraud, error and debt, the department mentioned using technology to identify and recover funds obtained through fraud. On getting people into jobs, improving lives, helping communities and rebuilding the economy it said it had invested in technology as part of adapting systems to help support the record numbers of people who sought help from the department during the Covid-19 pandemic. Its discussion of a similar risk theme in 2020-21 did not mention technology.
Key risks were deemed to have a link to digital technology and data if the annual report’s coverage included at least one of the following terms: cyber, data, digital, hybrid working, mobile communications, IT, online or technology.
Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology
Move to introduce code of practice for the likes of facial recognition and fingerprints is believed to be a world first
Department spared £10m fine despite ‘serious breach of the law’
Braverman reveals six occasions on which guidelines were breached – but claims no information on law enforcement, security or cyber issues was sent