19 The purchasers' joint procurement team made strenuous efforts to identify the risks of the project. In March 1995 they compiled a register comprising 224 risks, including virtually all those that could have been foreseen and those that eventually impeded the delivery of the project. However, this register did not include assessments of each risk's probability and impact, nor did it allocate risks to "owners" for management, or propose options to manage the risks. We found no evidence that this formal register was subsequently further developed and actively used in the project, though some of the risks it contained were identified again in subsequent registers later in the project.
20 We found that the purchasers' process for selecting a supplier was diligent. Considerable resources, effort and care went into the evaluation of bidders' proposals, and we found no indication of any impropriety. In mid-1995 the procurement team produced separate risk registers for each of the three shortlisted bidders based on their detailed technical proposals, demonstrations of capability and subsequent negotiations. This approach was fundamentally sound. But though risks were assessed for impact and probability of occurrence, there were significant risks in Pathway's proposals that the procurement team's register did not address. These included risks to delivery from very ambitious proposed timescales for system development and testing, to meet exacting deadlines for implementing the Payment Card, and a lack of information on the resources that Pathway would apply.