POL00028150
POL00028150
22 FEB ‘96 17:21 FROME P.18/48
PPQD4-08 RESTRICTED CONTRACTS
Bringing Technology to Post Offices and Benefit Payments
RISK REGISTER ANALYSIS
E Author: Alan Fowler Version: Draft 0.1
é Authority; Risk Assessment Panel (RAP) 19 February 1996
/ Reference: I PROD4-08
Contents Page
BABUIRP OSE. « soysecscstpnneeesssepetecegsneeenneessecpitvapeirotorsrngee wor
z
2.3. Pathway .... oe Z
3. OUTSTANDING CARDLINK RISK:
3.1. End to End Risks...
3.2. CNT Risk:
4. OUTSTANDING IBM RISKS
4.1. POCL Applications Risks ..,
4.2. Implementation Risks.........
5. OUTSTANDING PATHWAY RISK:
5.1. POCL Infrastructure Risks
5.2. POCL Applications Risks ..
5.3. Security Risks
5.4. CNT Risks............. 9
i. PURPOSE
ai. This paper analyses those risks that remain on the Service Provider Risk Register
(SPRR) at the end of Stage 3. The risk owners and the Risk Assessment Panel (RAP)
have assessed these risks, where possible, for attributable cost and probability. The
paper shows the reasoning behind their assessments.
12 The attributable costs and probabilities will contribute to the financial evaluation of.
the Service Providers’ responses to the Invitation to Tender (ITT).
19 February 1996 Page I of 11 Draft 0.1
POL00028150
POL00028150
I
a 22 FEB 96 17:22 FROM £ P.19748
.
k PROD4-08 RESTRICTED CONTRACTS
L.. The paper is constructed as follows:
¢ Section 2 presents a summary of the overall risk position for each Service
Provider. It recommends whether the Programme should invite the Service
Provider to tender in accordance with the policy regarding risks,
* Sections 3-5 identify the risks for each Service Provider in turn, grouped into the
demonstration and requirements streams. Each risk is stated, and is followed by an
analysis of the risk.
2. SUMMARY OF SERVICE PROVIDER RISKS
2.1. Cardlink
2.1.1. The overa! I SERSTERISIBOSTEGY is as follows:
I Risk Severity Demonstration I Requirements /I Core Negotiation Total
I Solution Team I
A 0 0 i) 0
0 0
B2 0 0
B3 0 0
Cc 0 0 0 0
Q 0 0 0 0 }
— ;
2.2. IBM
The overall! IBM risk position is as follows:
Risk Severity I Demonstration I Requirements /] Core Negotiation I Total
Solution Team
A a) 0 0
Bl 0
B2 0 0
B3 0 0 0 0
Cc bs wae 5 0
Q Os 0 0 0
22) TBM hos 0 Ri RERUATUSCORERHEE NH Re procurement POliey convening Hisksyte
2.3. Pathway
2.3.1. The overall Pathway risk position is as follows:
19 February 1996 Page 2 of 11 Draft 0.1
POL00028150
POL00028150
22 FEB 96 17:22 FROM o£ P2048
PPODs08 RESTRICTED CONTRACTS
Risk Severity I Demonstration I Requirements /I Core Negotiation I Total
_ Solution Team
A 0 0
Bl 0 0 2(+1 O/N) 3
B2 4 1 1} 6
B3 01 ON) 0 1 2
Cc 2 0 9 Z
Q 0 0 0 0
2.3.2.
3. OUTSTANDING CARDLINK RISKS ile
3.1. End to End Risks Rirek
CLKO01: PAS / CAPS reconciliation (Requirements / Solutions)
3.1.1. The risk statement is: “Ar the end of the day, an extract of payments made is taken
from the PAS database. This is reconciled against the polled log from the offices
Can this be reconciled and sent back to CAPS in time to meet the requirement for the
supply of data no later than the start of the next working day?”
3.1.2. There is a requirement for PAS data to reach CAPS by 03.00 daily. Cardlink ciaims
to be able to meet this requirement, but at a cost yet to be calculated. The current
assessment is that this would cost less than £1 million a year. This equates to a B3
tisk. However, Cardlink is likely to come up with a solution that meets CAPS
requirements with no additional cost, so this risk has a probability of 1. In any event,
we would need to ensure that we do not double count this risk by applying both the
additional charge and the attributable cost of the risk.
3.2. CNT Risks
CLK0S8: Transaction timing exercise
3.2.1. The risk statement is: “The automated service may result in longer transaction times
for the payment of benefits at post offices. Adverse consequences of this would
include;
© additional operational costs for POCL staff and agents;
* worsening of quality of service to POCL customers, especially at peak times
Sor benefit payment and consequential risk of loss of business;
© the need to build and open additional service positions and / or additional
post offices;
19 February 1996 Page 3 of 11 Draft 0.1
POL00028150
POL00028150_
P.21748
2
22 FEB 96 17:23 FROM o£
‘ »-9D4-08 RESTRICTED CONTRACTS
© higher charges for the automated service as a result of the need to equip
such additional service positions and / or sites,"
3.2.2. The Programme has raised this risk following the POCL transaction timing exercise.
Further work may reduce this risk. Currently, this is a B1 risk with a probability of 4.
4. OUTSTANDING IBM RISKS
4.1. POCL Applications Risks
1BM075: Track record of StorePlace (Demonstration)
4.1.1. The risk statement is: “SrorePlace is a new product, unproven in post offices and the
UK retail environment, and so there are risks relating to the delivery of the promised
functionality and performance."
4.1.2. StorePlace is IBM’s EPOS solution for the future. Woolworth in USA has committed
to the product, and {BM has delivered customised modules for testing on time. IBM
has completed the core product, and is developing it for the postal environment.
However, there is no track record of the product as yet.
4.1.3. IBM has provided development plans that convince the risk owner that IBM will
deliver StorePlace on time. However, Woolworth will be using StorePlace (albeit
with customised modules) in a live environment before the Programme. The risk is
minor, but certain: a severity C with a probability of 5, The risk owner will assign a
lower score value factor to IBM compared with a Service Provider that has a
demonstrable product.
42; Implementation Risks
IBM033: Office availability (Requirements / Solutions)
4.2.1. The risk statement is: “99% availability at offices outside the top 1000 implies 3
days per annum per office service unavailability. Such unavailability would not meet
the customer service requirements of the Programme.”
4.2.2. IBM has submitted a paper that commits to higher availability than 99%. However,
service levels will now be dealt with through the negotiation process, so this risk may
well be cleared. Currently, it is a B2 risk, with a probability of 3.
1BM083; Method and duration of training (Requirements / Solutions)
4.2.3. The risk statement is: “Supplier is proposing on-line CBT for POCL employees,
agents, and staff The document “Definition of User Implementation” (21/1/96)
states that CBT duration “will depend on user requirements (needs of site and
existing skills and experience)”. It is unclear if this document was intended to be the
formal response to this risk, or that a further response will be received. Either way.
the duration of CBT is uncertain and potentially unbounded.”
19 February 1996 Page 4 of 11 Draft 0.1
POL00028150
POL00028150
P.22/48 :
22 FEB '96 17:24 FROM o£
P-9D4-08 RESTRICTED CONTRACTS
4.2.4. IBM has reduced the CBT effort from twelve to seven hours. However, it is unclear
whether IBM is proposing supervised CBT or self-teach CBT. POCL has confirmed
that CBT is an acceptable training method. The Programme has scheduled a meeting
for 19 February to clarify the situation with IBM. Currently, this is a B] risk, with a
probability of 0 (undefined).
IBM084: Location for off-site configuration (Demonstration)
4.2.5, The risk statement is: “JBM had planned to use its Greenford site Sor off-site
configuration etc. It now might use an IBM manufacturing warehouse siled at
Anchorage Park, Havant, which it says will require minimal fit-up time. IBM has
been asked to confirm its plans in relation to this site.”
4.2.6. IBM has now confirmed that it will use Greenford, with its subcontractors
(Microroute) as a back-up. The Programme has not been able to inspect either site, so
a minor risk remains. This is a C risk. with a probability of 1
4.3. CNT Risks
1IBM092: Transaction timing exercise
4.3.1. The risk statement is: “Zhe automated service may result in longer transaction times
Jor the payment of benefits at post offices. Adverse consequences of this would
include:
© additional operational costs for POCL staff and agents,
© worsening of quality of service to POCL customers, especially at peak times
for benefit payment and consequential risk of loss of business;
© the need to build and open additional service positions and / or additional
post offices;
© higher charges for the automated service as a result of the need to equip
such additional service positions and/or sites.”
4.3.2. The Programme has raised this risk following the POCL transaction timing exercise
Further work may reduce this risk. Currently, this is a B] risk with a probability of 4.
5. OUTSTANDING PATHWAY RISKS
5.1. POCL Infrastructure Risks
PWY009: Riposte is unproven (Demonstration)
5.1.1. The risk statement Soe ep een,
‘1 PEARS WROTE I
19 February 1996 Page 5 of 11 Draft 0.1
22 FEB *96 17:24 FROM 4
P.23/48
14-08 RESTRICTED CONTRACTS.
S14
(b) the performance may be inadequate in the largest offices because of the data
being replicated between workstations (currently no office exceeds 25
workstations, but larger offices may be formed in the future);
(c) Riposte may be very difficult to manage when 30+ correspondence servers are
implemented, and such number will be necessary to support 40,000 counter
positions.”
An Post's Riposte 2 installations have been reliable, Furthermore, Pathway has
demonstrated, through modelling. that Riposte can cope with larger offices, and the
management of the (now proposed) 16 correspondence servers.
However, Pathway is proposing a 32 bit version of Riposte. At present this version is
untried in a live environment, so there remains a risk. However, An Post will be
using Riposte 32 before the Programme, so the risk is not severe. The RAP assigned
the risk a severity of C with a probability of 5. This risk is similar to that for IBM's
StorePlace ([BM075). although Riposte is more proven than StorePlace. The risk
owner will deal with the comparative aspects of these risks through the value factors.
PWY065: Security of data between OP and TMS (Requirements / Solutions)
The risk statement is: "We understand that only Benefits Encashment data will be
protected by digital signatures. The security of all other data would appear tw be
purely reliant on simple CRCs and sequence numbering, which would appear less
secure than current financial industry standards. Non BA data (such as automated
payments’ data) appear not to be the subject of any message authentication and are
at risk of unauthorised or fraudulent modification, and as further transactions are
automated, the scope for fraud on the system will increase. There is no evidence that
the facilities required for message authorisation (including key management) are
being provided as part of the basic infrastructure, and addition of such a facility as
an afterthought as other applications are added is unlikely to be satisfactory.”
The other two Service Providers are proposing finance industry security standard
encryption of non BA data. In comparison, Pathway’s proposed security mechanisms
are weak and unsatisfactory. Pathway has furnished three responses to this risk, the
third of which seems to address it. However, the risk owner wishes to ensure that
Pathway incorporates its proposals in its response to the requirements.
Therefore, the risk owner proposes that the RAP transfers the risk to the
Requirements stream, and that it will be for the Requirements stream to propose
clearance if and when a satisfactory solution is received.
PWY066: Strong sequence numbering in Riposte (Demonstration)
The risk statement is: “Escher has recommended that Riposte requires strong
sequence numbering and strong identity to ensure maximum resilience of the
message store and to minimise the risk of corruption during cases of multiple failure
Escher suggested that a dongle providing the terminal identity and monotonically
increasing sequence numbers would be its preferred solution. If Pathway does not
19 February 1996 Page 6 of 11 Draft 0.1
POL00028150
- POL00028150
POL00028150
POL00028150
P2448
a ae
.
PPAD408 RESTRICTED CONTRACTS i
follow Escher's recommendation there is a risk that Riposte will nor operate as
designed, and that data will be lost or corrupted.”
5.1.9. Pathway’s response concentrated on discrediting the possibility of failure, rather than
addressing the risk. The RAP took the view that the Programme would wish to
minimise the loss of wansactions rather than assess the cost of the risk. Therefore. the
attributable cost is the GENSHESNEER nies Pathway proposes an acceptable
alternative) for each terminal at multi-terminal sites. This would be about 30.000 x
£30, ie. £900,000 as a one-off cost. This equates to a B3 risk. with a probability of 5.
52. POCL Applications Risks
PWY005: Five generic functions (Demonstration)
5.2.2. Pathway proposes to develop discrete bespoke applications for the identified
requirements. Similarly. it proposes to develop any future applications in a bespoke
manner. This is intrinsically less flexible than a generic approach. This bespoke
approach potentially could increase development costs and development times. In
turn, this may result in higher change costs and delayed implementation, thus
delaying benefit. However, we should note that An Post’s experience of
implementing new applications (passports) onto Riposte has been encouragingly
speedy.
uw
ip
jo
However, as we are unable to identify these new applications, we are unable to
quantify the benefits. (Also, we are excluding possible future business benefits from
the business case models.) Similarly, we are unable to identify the development costs
and timescales for these applications by any of the Service Providers. Therefore, we
can make no fair comparison to attribute differential costs.
ey
iv
>
Nevertheless, flexibility is a requirement, and Pathway’s approach is less flexible II
than the other Service Providers, Because of this. the RAP assigned it a severity of C,
with a probability of 4. The risk owner proposes to give Pathway a lower value factor
mark because of this lower flexibility.
19 February 1996 Page 7 of 11 Draft 0.1
lain
22
196 17:26 FROM o£
P,25/48
PrD408 RESTRICTED CONTRACTS
5.3.
wy
ia
wa
ey
an
in
to
wn
Security Risks
PWY¥076: STOP on restricted payments (Demonstration)
The risk statement is: “Jf the communications link to a post office has failed, then
STOP messages will not be actioned on home office payments made at that post
office.”
Pathway proposes that the Help Desk telephones STOPs to post offices where the
data lines are not working. However, there remains a problem where the voice
communications lines are down simultaneously with the data lines. Early estimates
indicate exposure of £400,000 annuaily, as well as costs of post office staff time to
take the calls and enter the STOPs manually. This is a borderline B2 / B3 risk, so we
have “played safe” with a B2, with a probability of 5. Further assessment may
indicate a B3 attributable cost. This may be mitigated by Pathway accepting the
transfer of this risk.
PWY078: Card technology and authentication (Demonstration)
The risk statement is: “The proposed card authentication method (CAM) is
technically insecure and places an unrealistic reliance on the vigilance of post office
counter clerks. Pathway's proposed fraud and risk management does not mitigate the
risk of a weak CAM. The proposed CAM does not allow for the identification af a
counterfeit card. Potential attributable costs in this area are not restricted purely to
financial loss through fraud. Other areas of impact are
(a) additional administration costs caused by card compromise;
(0) loss af confidence in the BPS;
(c) political damage in the event of genuine customers being denied benefit, or
being subject to allegations of transaction repudiation;
(d) increased exposure to widespread transaction repudiation due to publicity of
card compromise:
(e) awidespread card compromise may damage the BA / POCL relationship.”
Pathway’s response to this risk was to propose a protected memory integrated circuit
(IC) card. This did not mitigate the risk, and furthermore if Pathway continues to
pursue this, would raise additional risks. Originally, this was assessed as a B1 risk,
with a probability of 4. Further assessment shows that it should be B2 severity. It was
not possible to determine the attributable cost since we are unsure of how much
Pathway is accepting transfer of this risk.
PWY079: Fraud and risk management (Demonstration)
The risk statement is: “Pathway has not documented its approach to the
management of the increased exposure to fraud, within the overall payment of the
henefits system, during implementation of the automated BPS. Pathway’s stated
19 February 1996 Page 8 of 1) Draft 0.1
POL00028150
POL00028150
POL00028150
POL00028150
P.26748
22 FER 96 17:27 FROM
PP>~4--08 RESTRICTED CONTRACTS
position of “rapidly rolling out the infrastructure and cards” is an inadequate or
inappropriate countermeasure to the perceived risk. There are a number of aspects
not countered in its response, e.g. the exposure to fraud which may he caused by
confusion via two systems.”
5.3.6. Pathway’s response to this risk added nothing to its response to the Security Review.
Early estimates give a risk exposure of £3 millions a year during the roll-out period.
This is a B2 / B3 marginal risk, but it is safer to leave it as a B2. It has a probability
of 4. Further assessment may indicate a B3 attributable cost. This may be mitigated
by Pathway accepting the transfer of this risk.
PWY082: Steady state fraud and risk management (Demonstration)
5.3.7. The risk statement is: “Pathway's current position in respect of steady state fraud
and risk management does not support the Programme's stated objective of a
“fraud-free method of payment”. Pathway’s understood position is unacceptable as
it appears that fraud and risk management is offered as an “added value service”.
To ensure the effective operation of a “fraud-free” service, fraud and risk
management cannot be an optional extra. Pathway's approach to fraud and risk
management does not appear to support the Programme's requirements for the
sharing of risk. It is not viable to impose individual countermeasures at the business i
process level without an overarching security management structure.”
wu
uw
io)
Pathway’s response to this risk added little to its response to the Security Review.
Early estimates give a risk exposure of £3 millions a year in steady state. This is a B2
risk with a probability of 4. This may be mitigated by Pathway accepting the transfer
of this risk.
ey
5.4. CNT Risks
PWY002: Size of Escher
3.4.1. The risk statement is: “The Programme is concerned that for Riposte the proposal is
totally dependent on Escher, which is a relatively small USA based company. More
information is required on the size and stability of the company.”
5.4.2. The CNT has referred Pathway’s response to this risk to Charterhouse. This is a B3
risk, with a probability of 4.
PWY003: Fraud risk on card
5.4.3. The risk statement is: “Pathway, in its commercial proposal, does not accept the
fraud risk associated with losses from coordinated attacks (fraudulent copying and
counterfeiting) on the card. It is prepared to provide a more fraud resistant card, at
a higher cost, which is still likely to be at BA’s risk.”
5.4.4. I This is an A risk, with a probability of 4.
19 February 1996 Page 9 of 11 Draft 0.1
22 FEB °96 17:27 FROM =
P.27748
" \D4-08 RESTRICTED CONTRACTS
wn
FS
in
5.4.7,
5.4.8.
$.4.10.
5.4.11.
PWY047: Track record of working together
The risk statement is: “Pathway is a new company set up for this procurement. There
is no track record of Girobank, ICL, and De La Rue working together."
This is a B2 risk, with a probability of 3.
PWY057: Contractual relationships
The risk statement is: “An Post / Escher is a supplier to the Pathway consortium.
Escher is involved in the development of the An Post automation, and is also
involved in the Singapore Post Office automation. The An Post development is
concurrent with that which will be required for B4 / POCL, the position with
Singapore development is yet unknown. Need to define the contractual relationship
with Escher.”
The CNT has referred Pathway’s response to this risk to Charterhouse. This is a B]
risk, with a probability of 5.
PWY061: Financial structure and funding arrangements
The risk statement is: “The financial and funding arrangements that Pathway has
declared represent an unacceptable risk to BA / POCL in these areas:
1) As Pathways credibility in relation to performance is dependent on its
Shareholders and other sub-contractors, and BA / POCL will not have a
contractual relationship with these parties, there is a significant risk in respect of
the efficacy of the sub-contract arrangements to be put in place by Pathway
2) The relatively high level of financial gearing and the comprehensive security
package required by Pathway’s banks represents significant risks associated with
the adequacy of both initial capital investment and finance later in contract life.
3) A Pathway default resulting in termination and damages would place BA / POCL
in a position of being unsecured creditors behind the banks’ secured positions.
There is a significant risk that BA / POCL would not be able to recover all
moneys due.
4) The suggestion by Pathway that BA / POCL would be obliged to acquire the parts
of the automation service that have been rolled out successfully represents a risk
an termination that the pre-agreed amounts may not reflect the market value of
these assets, nor the utility value of the assets to a new operator.”
The CNT has referred Pathway’s response to this risk to Charterhouse. This is an A
risk, with a probability of 3.
PWY054: Policy on foreign encashments
The risk statement is: “The viability of the proposed distributed solution is dependent
on there being a low proportion of foreign encashments and on the continuation of
19 February 1996 Page 10 of 11 Draft 0.1
POL000281
POL00028150
10
POL00028150
POL00028150
P.28748 } 4
22 FEB '96 17:28 FROM £
* D408 RESTRICTED CONTRACTS
the nominated office concept. Any significant increase in the number of foreign
encashments may render the authorisation process uneconomic.”
i 5.4.12. This risk relates to Pathway’s proposal to charge more for foreign encashments than
I home encashments. The additional cost to the Programme will depend upon the level
: of the additional charge and the proportion of foreign encashments. The proposed
j charges in the response to the SSR show that a 1% increase in foreign encashment
adds £0.62 millions to the transaction charges, and £0.85 millions to the Service
Provider charge. Any amount of foreign transactions above 3.5% would give this a
BI severity rating. Currently, the maximum foreign encashment is about 7.5%. This
is a B} risk, with a probability of 4 (likely). However, we need to ensure that we do
not double count this risk by including the charges in Pathway’s proposal and the
attributable cost of this risk.
PWY084: Transaction timing exercise
5.4.13. The risk statement is: “The automated service may result in longer transaction times
for the payment of benefits at post offices, Adverse consequences of this would
include:
¢ additional operational cosis for POCL staff and agents;
© worsening of quality of service to POCL customers, especially at peak times
for benefit payment and consequential risk of loss of business;
¢ the need to build and open additional service positions and / or additional
post offices;
¢ higher charges for the automated service as a result of the need to equip
such additional service positions and / or sites.”
5.4.14. The Programme has raised this risk following the POCL transaction timing exercise
Further work may reduce this risk. Currently, this is a B1 risk with a probability of 3.
19 February 1996 Page 11 of 11 Draft 0.1