|
Introduction to DTI "TickIT" SchemeFrits Janssen, Managing Director, IT World Ltd |
Information Technology Specialist Group Meeting
Chairman - Hugh Richardson, Burmah Castrol Trading Ltd
Frits Janssen has come to speak to us this afternoon about the TickIT Quality Management system certification scheme. He is Managing Director of IT World Limited, prior to which he held senior financial and general management positions in UK and Switzerland. He is a Chartered Accountant by profession and combines management, financial and marketing skills with many years experience of IT applications, and a ten year track record in the specification, management and implementation of DTI awareness programmes.
Introduction to DTI "TickIT" scheme
Frits Janssen, Managing Director, IT World Ltd
Ten years ago I started an IT consultancy by happenstance, and my first clients were the Department of Trade and Industry who were promoting IT messages to industry. I got to tender a lot with the DTI to run campaigns about particular issues. The particular issue we are talking about today is software quality, which to you, as a group, is a key issue. If I may, I will describe the story of TickIT, why the DTI is involved, and why they are spending one and a half million pounds a year on telling everybody about it. Maybe afterwards we can ask, should they be doing that?
Ten years ago I knew nothing about government departments. In six years with Coopers, and eight years with Bowater, I really hadn't been involved in massive government funding of technology projects. Here we are basically talking about IT technology projects. It is amazing, they are spending megabucks, even apart from ESPRIT and the ALVEY programme. They spend an awful lot of money, even now when they are non-interventionist, on just picking up an issue and deciding to go for it.
You might say, why are they going for TickIT? The rationale as to why they are involved in a particular project is usually because it was in the Budget three years ago. There are 200 people in Manufacturing Technology Division who have to create a rationale for what they are going to do, so they write these plans. Ministers can't stop it because Ministers change so often. I've seen ten different Ministers in the last ten years. Parkinson was the most spectacular, he was the only one I knew privately, but he was spectacular.
The DTI are amazingly professional people, I will use Manufacturing Information Technology Division as an example - it consists of about 200 people. It has a Grade 3, who will be paid about £40,000, and he will have five Assistant Secretaries, each of whom will have a branch, with about ten Principals, and about ten or twenty staff. The amount of work input they provide, which is not performance related, is quite significant. I now know (and I have to know because that group of people is my client base) that they spend, or have influence on, about £400-£500 million of government money. This spend is directed towards the promotion of IT uptake, either for the IT industry's sake, or for industry's sake in benefiting UK Limited. It's not mostly misguided, but some of it is. Sometimes you feel that they haven't really got to the bottom of the issue before they go and promote it, and have Alan Sugar saying 1992 is good for you.
What is TickIT about? TickIT is about standards in software quality, and it is a special scheme. Some of us here today are chartered accountants, there are 120,000 of us, and 60,000 of us provide audit certificates that we comply. And it is a fantastic business. TickIT is about certification that your quality management system, in your software development process, complies to the scheme. It is an audited scheme. The first thing you have got to decide is what are you going to audit.
I have learnt, in these last six months, that in the certification of quality management systems to BS 5750 standards, there are now 1,000 auditors providing these certificates. I'm not suggesting that it is good or bad, but BS 5750 has become big business, in terms of 1,000 man-years. However there are only 35 TickIT auditors. So a standard has been set, together with certificates in relation to that standard, which is BS 5750. Now you've got the TickIT scheme that says "Industry has decided that software is special, you need both special guidelines, and special auditing rules".
How does the DTI work? And how does a Principal, who runs a section with her 8 people, decide to proceed? In this case she was appointed four years ago. She is called Margaret Dennison, she is the Program Manager of TickIT, and she was not involved in TickIT before that. But that same unit picked up "Is quality management an issue?" What they do is go out to tender, and they ask for a study to be done. Logica got that one and did an investigation, to look at a QMS certification scheme.
The standard of a quality management system was defined through the BSI as BS 5750. This is the same as ISO 9001 and EN 29001, they just use these different numbers to confuse us. The Logica report says that 9001 is relevant to software, but also said that there ought to be special guidance. The general specification of a quality management system isn't quite applicable to software development, which is special. Logica also reported that we needed special auditing standards and an awareness campaign to promote the issue. Then the DTI said "what do you mean?"
What you mean is you need to promote the fact that there is a need. I didn't actually bid for this - Price Waterhouse won it, and did a study to look at the cost benefit. Is bad quality software a problem in British industry? This was not a great surprise, but they decided it was £1m per hour loss. This was therefore the case for the civil servants to say that we should spend some public money to promote a standard. The way they did it was to say, "Perhaps we should use the British Standards Institute as the link?" This is the follow up to Price Waterhouse saying that poor maintainability is the biggest issue.
The DTI commissioned the British Computer Society to look at a special sector scheme, and then issued the TickIT guide which packaged the standard. The standards are fantastically boring! I've been running this campaign for six months, and I still haven't read the grey guidebook! I mentioned that auditors rules were considered to be important, and that they were particular, and so particular guides were set for TickIT auditors. A BS 5750 auditor can be anybody who goes along and provides a certificate that somebody complies. I must say it is very good that, under TickIT, there is a training scheme for auditors which Gilbert Associates has developed, and a vetting procedure where the IQA or the VCS will actually give you a qualification, and you can only then provide certification. Of at least 1,000 auditors, there are only 35 auditors under TickIT at the moment, but they are properly certificated.
Now after six months' involvement I think I know a little bit about this audit process. I found the message was perhaps confusing. BS 5750 auditing isn't really understood, let alone TickIT. I questioned why they were giving me £500,000 to run an awareness campaign when people do not even know what BS 5750 is? What they do know is that it's bad. The press are saying that most of British industry (a) isn't doing it and, if they are doing it, it's not valuable and (b) there are no regular quality checks. The TickIT scheme has got a superb guideline for a quality management system and the general guideline, that grey book, really does mean something to your quality manager. If I'm a finance director, I would want to be sure that my software development used that standard, that they were audited, and that it would work.
The standard basically says you ought to have your quality management procedures documented. Who has not been to a lecture on quality management/total quality management? Who has been? Who believes they have a total management quality system? Everybody is talking about it. That's what it's about; it's supposed to be a guideline, once you have a system you are supposed to have written it up so that you can demonstrate it, and then you can be audited to see that you comply.
What did the DTI do? Having done studies to develop the need, and accepted Logica's recommendation that the key issues were a special standard for software, special auditor guidelines, and training for auditors, they decided that they should go out to tender for someone to run a technical project office that could respond to industries' queries. They gave Logica that contract. It's called the TickIT Project Office, and it is run by John Slater. He has worked for the last two years on setting up the rules whereby certification bodies would be accredited.
With a firm of chartered accountants, you have to be a chartered accountant to qualify and to give a certificate - the company name doesn't matter, it is the fact the person is "chartered" and he certifies. Here, it is the organisation that is accredited by the Secretary of State, through the National Association of Certification Bodies. The NACCB says that you are not, now, allowed to give a BS 5750 certificate for an organisation that is substantially involved in software, unless that work has been carried out under special rules. Whereas the thousand other auditors that are operating at the moment have a loose auditor qualification set by the IQA or the RVA, for TickIT you have to have special auditor training, the auditor has to be qualified, and ISO 9000/3 has to apply.
I bid with the NCC against Price Waterhouse and against the Saatchi company to run a programme to get these messages out. It is rather interesting to think I only know half the messages now and I was very confused at the beginning, yet I still designed the campaign.
You all have a "campaign brochure" in front of you, and I'll describe how the DTI goes out to tender to run an awareness campaign, and how some of the money in promotional best practice is spent. I've described the issue that it is best practice to have a scheme, and how they developed the rationale. Then they say, "We want to tell industry that this is important, that the scheme exists and that they ought to go for it, because we believe that UK Limited should be certificated."
I won the bid, and then I asked them what the target audience is? Who are the people? We know there are four, five, or six thousand software development companies in the UK from the zip codes on mailing lists. We also know that there are probably an equal number of in-house developers. If we look at CSA, we also know that the largest companies (the top ten) represent around 80% in volume of all software developers. A DTI programme usually has a combination of issues, so one says, "How are you going to tell people?" The finance directors, IT directors, quality managers and all software developers within organisations will say they want it to happen.
What you need is a brochure, scheme information, case studies, a newsletter, perhaps a conference programme, a guide and a video. Those are the deliverables. I bid a sum of £400,000 to run a programme for them. Part of my presentation to get that sum was to say that the first thing I would do would be to design a brochure which tells people what is in this campaign. I sent that brochure to 20,000 people by direct mail, having decided which mailing houses I should buy lists from. [One member present at the meeting did in fact receive this.] Of these 20,000 brochures, 2,000 forms came back - this high return was because after filling in the form, you got the deliverables (the brochures).
Case studies are very valuable because people can relate to them. In the pack in front of you there's a story of how it was done by Logica, by Praxis, by Lex Logistics (a small software house), by British Rail Computing and by Oracle. I'm quite enthusiastic about this as it is the best campaign I have ever run - it has really taken off. The other thing that I did was to decide that you've really got to reach level one of people, not just go for the technologists through conferences. Therefore, you have to do some media relations. I decided that we would have an Award and a launch. I had a target budget of sponsorship of £100,000 and I got £25,000 from IBM to sponsor an Award.
I frequently travel on the train to London with Lord Chilston and as Alastair is a video maker, I suggested we have the TickIT launch in the House of Lords. He refused, saying this was a commercial activity, but I pointed out that the only way to get Michael Heseltine to do something about IT is to telephone his diary secretary, say that the Award is at the House of Lords, and it will be quite easy for him to come along and launch it. Mr Heseltine agreed to come along, and that was quite valuable, because it was written up in the press that 'Mr Heseltine thinks this issue is important'. Media relations is all to do with having a good issue, and getting the coverage to ensure you've got people's attention.
The Award has been terrific - it is a crystal bowl (there are four in total, one for each category). We now have around 170 certificated organisations. Out of that, there are maybe only 80 that are not groups, and 50% of them have applied for the Award - the closing date was last week. The Award ceremony will be in London, but the purpose of the Award is purely PR. I've got sponsors queuing up to run the Award again next year - it has worked.
The other thing that has worked is conferences. When you run government campaigns, you often find that they spend £200,000 on inviting people to dinner at, for instance, the QE2 centre. I think it is a waste of time paying for people to come - it is far better to sell them a conference brochure and ask if they want to come. What has happened is that with the first series I had 500 people. I have just sent this one out, and you must remember that to send 55,000 out, you must spend £50,000 - it is big marketing, and you are spending other people's money to get the people in. I have now got sponsorship, and I'm going to do a new series of conferences, just entrepreneurially because, of course, the Coopers, the Admirals, the Touche Rosses are interested in sponsoring these things because they are able to get across the message and because certification is not a big cost. The big cost is installing a quality management system and most companies would go to a specialist to help them.
The Permanent Secretary, Alistair MacDonald, has become interested, and I've got him on the Award panel. Steve Shirley is chairing it, the founder director of F International and now Master of the Worshipful Company of IT Technologists. She was very involved in one of the largest programmes I have run, when Kenneth Baker was spending a lot of money on promoting IT for people with disabilities We did a lot of work in this area, on people working from home, on training, and on providing IT special needs, and also on an awareness campaign which was associated with it. Steve has built up a very successful software company, with between 500 to 1,000 man-years sold.
Questions and Comments
What are we certifying, the company? For instance, would Metapraxis be certified or would specific products such as Empower be certified?
It is a certification of your quality management system, not the certification of your product. For example, if I were the finance director of Burmah, I would wish to know that the work standards had a degree of excellence and that it had been certificated that they complied. This would be both for the internal development team, and external suppliers. As a buyer, if you have four people tendering to you, I think one would now say that one has a degree of safety, if your supplier says he is certificated. IBM and the MoD will no longer buy from a software house unless it is certificated - that is the great drive, and that is why people are coming to the conferences.
Regarding British Rail, is that like the Burmah example, where they want to be certificated for the comfort of their own internal management, or are they selling software products?
They are just very frightened of being privatised, and think they should get certificated quickly, or they won't survive in the open market - that is their rationale. One interesting thing with the conferences is that we've got David Luxford telling the story of how he became certificated, and why, and he actually says that it's because they are being privatised, and they want to sell their services outside. To me, after running the campaign, I have now been convinced that if I were running a major company, and had an internal or external software team, I would feel comforted if they were certificated.
There are times when it would be difficult for all organisations to become certificated when they have a lot of legacy type systems around, where the approaches you could take through normal quality assurance techniques don't stand up to the weight you are carrying - but certainly I agree about the comfort associated with certification for new developments.
How many people have you got in your software team?
In my team, 20.
So your cost is 20 man-years. How much external IT do you buy in? An equivalent amount?
It must be roughly equivalent.
Are you the usual buyer?
If you take into account old PC package software.
Do you use the guide? Have you read it?
I wouldn't say I've read it from cover to cover, but I've been through it.
When one looks at implementing it, there's the TickIT video (for sale at £50), and the case studies that describe how other people got there. The cost and the timescales of certification are significant (10%) and because I'm selling it, it all sounds very good. It almost sounds like, for example, the statement you made: "It's the barrier not to do it, but the reason it should be done".
It's similar to the old joke, "quality's free, but it costs you a lot to get there". If you've got a lot of history, the cost upfront is going to increase almost exponentially with what you are carrying around, and it's going to take you much longer to get to that stage. Most companies internally face quite a barrier to doing this.
Are we going to get to a stage where a company that wants to be certified to ISO 9001 has actually got to have had its IT function accredited as a component?
This is a very relevant question. The NACCB accredits and defines the scope under which someone can give a certificate. I will say that they haven't organised the rules terribly well at the moment, because, if you already have a BS 5750 certificate, the chances are that the certification body will carry on giving it, even though the software component is significant. According to the rules that you're supposed to be following, you're not allowed to do that. The question is "Is it embedded?" "Is it significant?" And who decides? The policing of that isn't currently well thought out.
We have a BS 5750 on our manufacturing plant, but nobody checked our computer system.
Nor did they probably understand it. But it's interesting - BSIQA are the largest certification body in the UK. Det norske Data, Bureau Veritas and Lloyds Register each have around 200 auditors, and then there's CIRA. Those big companies have TickIT auditors within their teams and are being very careful to monitor this issue. I suddenly had £500,000 to promote certification. I thought certification bodies would love this - imagine doing the advertising campaign for Coopers, Price Waterhouse and KPMG, but the certification bodies said they couldn't even cope with the growth in ordinary auditing, and TickIT is a special scheme. I told them I was promoting them, but they cannot cope with their growth.
The companies that have done it find it valuable, and the suppliers that are going for it at these conferences are those that are recognising that their buyers are now demanding it. This is third party certification, not second party, and they know that to survive they need it.
Our UK company has caused a certain amount of amusement with their accounts department claiming that they were certified to ISO 9001, and since they weren't the world leaders in terms of activity within the group, I just wondered if that was a necessary component.
The problem with all these things this is that you don't have to be good at it to be producing quality - you could be turning out quality rubbish.
Absolutely - the fact is, if your quality system defines rubbish, you'll get beautiful, quality controlled, rubbish.
We used to belong to a software body, but had to drop out of it, called QA Forum. There, they were really very wary of BS 5750, which some of you may remember had been described as a rogue's charter. Because of that, it really didn't give you any assurance that you were going to get a good product at the end of it, or that you were going to get a regular product which would come out the same.
In relation to TickIT (we've covered the issue that it is the system and not the product), I think that at the moment the people now going for audits are the CSA members, all the large companies, Logica, Praxis, CIMA etc. The supply side is going to have to go for it, and will within the next year. I just don't know how to start a certification body. But I think it really is worthwhile taking up, worthwhile as an in-house development. It is worth getting a team in, who will spend two days saying what a project plan would cost to get certificated. The quality consultants will tell you within that timeframe, although I'm not sure about charges.
Do you think for people actually supplying shrink-wrapped software, and presumably we're talking about UK suppliers, that they would be entitled to put on the label that they themselves are certificated? Has anybody started doing this?
No one has started doing it yet. The BSI is talking, at the moment, with the Institute about some kind of kite mark. However that is not TickIT related, but product related. The US is now likely to go for it in a big way and IBM is likely to make it mandatory for all their suppliers, which is going to have quite an influence.
There are EEC regulations now with the Health and Safety at Work Act that cover British software as well.
It's all very vague - with regard to what's "usable".
Last year I could have talked about 'Usability Now', just as an interest. We have just spent £1.5m with the government promoting usability of computer systems. At least the TickIT issue is real. I have been so cryptic in talking about it - has the fact that I'm quite committed to the idea come across, or have I undermined my case?
I thought you undermined it a little because you made the comment at the beginning, (which I hadn't appreciated because within Burmah Castrol there's been a lot of focus internationally), not on the software side but on the other side, is that this is something that is going to drive everybody. It won't be long before you can't afford not to be certified. You did make a comment which suggested that British industry was very apathetic and that X percent only (was it 30%?) were attending.
Two things; when I made that statement, I was making it about BS 5750 and I obviously didn't make that terribly clear. British industry is very sceptical about the generality of BS 5750 and its cost effectiveness. The studies of how much of UK manufacturing industry is certificated according to BS 5750 show that it's only 3% or 4% - appalling. And it's expensive. There's been an awful lot of press coverage on that issue. TickIT is such a small, new thing but it is very sharp, very focused, and effective and it is going to bite. My description of that is totally different from that of the BS 5750.
When you say it's going to bite, can you give us a feel for it?
The feeling I've got from looking at the CSA membership, purely in terms of the number of software developers that they employ, is that the top twenty, who probably represent 80% in volume, will be TickIT certificated within the next three years.
Software sellers or software groups?
Software groups affiliated to CSA that mostly aren't sellers.
I would think so, but I think you need to make that clarification at the right time. I think that's an important difference because the motivation for people doing it, currently does come down to the marketing aspects - they feel they need to be certified to be able to market their software.
In a big group, if you've got an internal development team that is not TickIT certificated, and you always blame your internal team for all your problems, then I think that being TickIT certificated is going to be a defence for them, to be able to say "I do perform, I have quality management systems". I think it's going to be important if, in two years' time, you ask "does that team stay or do we go external?" (to a certificated team).
It may be a necessary condition for future survival but it is certainly not a sufficient condition. A lot of these standards coming out in defence of IBM - are they really delivering quality products, good projects and so forth? I think some of these standards are pie in the sky, but having said that, the software groups do need to put their own house in order.
Having got nearly to the end of this campaign, I'm conscious that I might have actually put more emphasis on the key issues in a quality management system, what is it really about, instead of telling people it's necessary, you ought to go for it, it's good for you. I could have spent more time on the ten steps for the introduction of a good quality management system, which complies to a standard which is useful. These are easy guidelines.
I apologise for having missed your introduction, but do these initiatives reflect that there is a change in the government's strategy with regard to IT, are they getting their act together on the IT front?
They have a division called MIT (Manufacturing and IT) which is the sponsorship division for the effective use of IT in industry, as opposed to the IT supply industry.
When you say getting their act together, up to five years ago they used to spend £200m to £400m per year on giving great amounts of money to large companies, like GEC and Plessey, to develop projects that possibly would not have happened if they hadn't had government money. They have gone away from that now, much more towards spending the same amount of money on collaborative research projects, half of which is to the European ESPRIT/Bright Track programmes. Another focus is on looking at what they perceive is industry's need for best practice, and running schemes which firstly identify what the issues are, and what the need is, and then running some campaigns to bring the issue to public awareness - and that's the scope of this campaign.
TickIT is one of maybe ten or twenty of these kinds of initiatives in IT related fields. It's not that they are doing more now at all, they still have a lot of money in that field. What I touched on was the ad hoc way they decide to spend, and the fact that is it a blunderbuss effect. I know what the issues are that they are going to develop in the next three years, and they will always start these issues by doing some studies as to needs, and then running awareness campaigns on the issues.
In all my previous experiences of quality assurance schemes, or anything of that nature in software development, the real people that have impact on software are those at the coal face. You can try your best to impose quality, but it has to come from the bottom up. I certainly think there hasn't been that much visibility in this particular scheme at that level. So people are not coming to me and saying, let's get some quality into this area, or let's have quality forums, let's have this type of approach. We're not generating interest at the bottom to meet this demand for accreditation coming from the top. For instance, one thing people do look at in the computer magazines every week is the job section at the back. You need more impact through the magazines - we're not getting the balance right through to the coal face.
The biggest distribution mechanism is how you are getting to them with the message (PR, publications, advertising or direct mail)? I'm trying to do PR to get them in the box with Mr Heseltine, direct mail to get to 55,000 people and I have now written this thing to 20,000. The first campaign brochure went to 55,000, the second campaign brochure has gone to another 55,000. Anybody who registered, anybody who has written in, gets that newsletter - it goes to 10,000 names. So the distribution mechanism seems to be relatively well covered. Is it the message that is not appealing?
It could well be. I think you still tend to find, at the average programmer/analyst level, that quality is boring.
You should see the Standards people - these quality meetings!
Also, you find that quality is usually imposed from on high, and so the programmers themselves don't actually have the ownership. They know, perhaps, that they are producing things which aren't up to scratch.
What you are saying is very interesting, because I think that the effectiveness or usefulness of that guide is very important - it sends you to sleep because it's so detailed, whereas if it were a 12 point manual of how to succeed as a quality manager, and on the bookshelf, maybe there would be more interest.
Is there some mechanism in the campaign for people at the coal face to feed back to the Standards bodies to make it a fine-tuned instrument?
I once watched these Standards guys get absolutely into raptures about what they called a Metastandard which, when you worked it out, was a standard about a standard.
How exciting! And did you know that the number was EN 2000/3, not /4 - and that's very important! There's really no way that is going to get through to people who get their kicks out of writing programs. This is really very helpful feedback to me. To an extent, this conference business has become self-sustaining because people are just rolling up to come and hear the message, that's why we're still doing it. First there's a keynote speaker who talks about TickIT pay-back. Secondly, Margaret Dennis basically says what I've said about why they are doing it. John Slater talks about the standard and all these numbers, and people are very excited by it (he gets 9s and 10s). Fourthly, in the afternoon, I have two speakers from the case study companies saying why they did it, and then questions. That format worked for 500 people, and this time I think I'll have 1,000 people, and these are actually quite big numbers over three months - and the revenue is quite good too! The issue that you're talking about as to the guide to implementing an effective system is what people might be interested in for the next series.