3.24 After receiving bidders' responses to the statement of requirements the Procurement Authority set up risk registers for each of the three shortlisted bidders and established procedures to identify, evaluate, control, monitor and report these risks to the Project Management Board.
3.25 Risks were classified according to their perceived severity. "A-class" risks were "show stoppers" which if still present at the time of invitation to tender would mean that the service provider would not receive an invitation. Serious "B-class" risks were categorised into those with an impact on the project of more than £5 million a year, £1 million to £5 million a year and under £1 million a year. They would not preclude a service provider from tendering, but the costs would be taken into account in bid evaluation. "C-class" risks were minor, which though considered in evaluation, would not add costs to a bid.
3.26 The procurement authority managed these risks through discussions with the service providers and evaluation of their written responses. Pathway's responses were comprehensive and detailed, and some proposed significant changes in their proposals for design and implementation of the project. These included the use of verification procedures to confirm the identity of claimants at post offices, and upgrading key software from 16 bit to 32 bit technology. On the basis of these responses the purchasers cleared and downgraded risks. It is evident however from subsequent events that some of the risks identified in Pathway's solutions and recorded as cleared at the time the contract was awarded were still live, as shown in Appendix 7 of this report. These included areas such as the system's ability to meet security requirements and the dependence of the system on the development of new software. Pathway told the National Audit Office that many of the risks identified by the purchasers as re-emerging post contract were not shared or discussed formally with them, and that they had not been aware that the purchasers saw many of them as still live.
3.27 Just before the issue of the invitation to tender the risk register for Pathway's proposal showed one outstanding "A" - grade "show-stopper risk", which according to the purchasers' procurement strategy should have precluded them being invited to tender. This risk, of Pathway's reliance on a key piece of messaging software which would need to be scaled up to meet the requirement, was downgraded on the basis of proposals from Pathway. At this stage Pathway's bid had the highest number of outstanding serious B - grade risks, each with an even or higher chance of occurring.
3.28 Though the approach to identifying risk to the project, based on the analysis of each service provider's proposal was sound, it focused heavily on financial risk transfer. This was based on the premise that the business risk of late delivery could be transferred to the service provider to manage, whereas in fact, as subsequent events showed, much business and commercial risk for the benefits card payment project still lay with the Department. In fact, delays in delivering the project would cost the taxpayer some £15 million a month in terms of continuing fraud and administration costs. In principle, the purchasers had some protection against these costs through their rights under the contract to sue Pathway for damages of up to £200 million. However, the purchasers did not sue for damages because the agreement reached with ICL in May 1999, by mutual consent and in agreement with Ministers, was in full and final settlement of their claims against Pathway and Pathway's claims against them.
3.29 During the pre-contract period all three shortlisted suppliers offered and provided the joint Authority with versions of their own risk registers for the project. Pathway submitted a risk register containing 20 risks. The most severe risk recorded related to the technical boundaries between Pathway's and the purchasers' systems. It also put a marker down for other risks, such as the late delivery of the CAPS system and the handling of temporary tokens and casual agents, which became major issues after the contract was signed. While clearly the Procurement Authority would have to consider the content of Pathway's risk register very carefully, we found no evidence that they had fed anything from it into their own risk assessment process.