DVLA is sponsored through the Motoring Services Directorate of DfT. Our sponsoring directorate acts across Driving Standards Agency, Vehicle & Operator Services Agency, Vehicle Certification Agency and Government Car & Despatch Agency in addition to DVLA, so not only manages performance but also co-ordinates our collective direction and strategy. Our sponsor, the Managing Director of Motoring Services, is supported in terms of advice and management by the Motoring Services Board upon which I sit together with four other Agency Chief Executives and sponsor representatives.
DVLA is responsible for providing driver licensing services in Great Britain and the registration of vehicles and collection of vehicle excise duty throughout the UK. Our sponsor and I regularly meet ministers to discuss progress, performance and key risks.
Driver licensing in Northern Ireland is a devolved power and is undertaken by a separate executive agency, the Driver and Vehicle Agency (DVA), sponsored by the Department of the Environment in Northern Ireland. However, responsibility for licensing and registering of vehicles and collection of vehicle excise duty in Northern Ireland lies directly with the DfT Secretary of State functions discharged by DVA, through DVLA managed Service Level Agreements.
Service delivery: including the identification of management actions to address the key operational issues and monitor delivery of plans for outputs, finance, headcount and resources.
Strategic direction and plans of the Agency: including oversight of the Agency’s change agenda and progress against the Strategy and Business Plan.
The six Executive Directors have specific areas of functional responsibility:
Chief Operating Officer (COO): Judith Whitaker (previously Human Resources & Estates Director);
Finance & Strategy (F&S): Ieuan Griffiths;
Human Resources & Estates (HR&E): Phil Bushby (previously HR Director at Companies House);
Chief Information Officer (CIO): Paul Evans;
Corporate Affairs: Hugh Evans (acting) (previously Head of Policy);
Transformation: David L Evans (previously Corporate Affairs Director). This is a new post to reflect the scale of the change agenda and co-ordinate Programmes of work.
The EB bring a good mix of previous knowledge and experience from a wide range of other organisations both public and private sector, equipping them well to work with both sectors as an Executive Agency. With the exception of our new HR&E Director, the team has worked together for nearly four years and has a clear corporate vision and focus. The EB works entirely within the Civil Service definitions of ethics and values. Short EB member biographies are included in the Annual Report.
The DVLA Audit Committee comprises the two Non-Executive Board Members, together with a representative appointed by DfT, currently the Commercial and Technical Services Director (Kate Mingay). I, my Finance & Strategy Director and Head of Internal Audit attend as observers as do representatives of DfT Finance (who also represents the DfT Sponsor Directorate), National Audit Office (NAO) and KPMG (as sub-contracted auditors to NAO). Other Executive Board (EB) members attend as observers on a cyclical basis.
The Audit Committee has access to all internal audit reports, major project assurance reports, external reviews, risk registers, and management reports and considers all our external financial and governance reporting prior to advising me on accuracy and appropriateness before release. The agendas follow a cyclical pattern for external reporting, but consider at each of their four meetings each year: progress against assurance plans, adequacy of response to the risk register, management responses and action progress against assurance reviews (internal and external), response to fraud and bribery threats, ICT security and any breaches reported. The Audit Committee considers and approves before submission to DfT, the EB Management Assurance Statement, the Governance Statement and the Annual Report and Accounts. It undertakes an annual self-assessment of performance that includes me and other stakeholders.
b) Commercial controls: these are overseen by a quarterly Commercial Board chaired by the F&S Director with attendance by the Chief Operating Officer and Chief Information Officer to provide appraisal and challenge in terms of support for the business, and a Commercial Committee chaired by the Head of Commercial Services Group that meets in the intervening months to monitor progress and approve the monthly performance and issues report provided to the EB at their monthly meetings. Any issues that require escalation from the Committee to the Board and that require immediate attention are considered by the F&S Director and Chief Executive. The EB agrees policies for procurement and customer services, oversees major contract lets and agrees the procurement strategies, reviews progress against efficiency generation. The F&S Director and Head of Commercial Services Group attend the DfT Procurement Board to provide updates, reports and ensure collaborative progress against the Government Strategy.
c) Investment Controls: proposed project-based expenditures (IT and non-IT) have their business cases assessed by the Finance Committee which either rejects, approves or makes recommendations to the EB, depending on the expenditure level involved.
d) VED collection and enforcement: the targets and operations relating to these activities are set and monitored through the VED Governance Committee, a tripartite arrangement comprising DVLA, DfT and HM Treasury. This is chaired by DfT and meets formally three times a year to agree the budgets and objectives and monitor progress against these.
Business cases comply with the DfT Investment Appraisal Framework through compliance with the ‘Green Book’ and use of the best practice five-case business model advocated by ERG and HM Treasury. Early stage involvement of Cabinet Office ERG through their review cycle is observed in all cases.
The ACPO monitors and tracks programmes through to closure providing EB, if significant enough, with advice on project and business decisions. This potentially includes cancellation of individual projects if business case changes or risk appraisals (both updated regularly) indicate this to be appropriate. Such action has only been required twice since 2000 (because of changed external factors) but it is an essential control to ensure value for money, such actions are fully disclosed in the annual accounts.
Tier one and two projects have their business cases considered and budgets approved, together with monthly progress reporting and monitoring, by our sponsor directorate (via the DfT Investment Appraisal Board) and if over £100 million by DfT (the Business Investment Case Committee as a sub-committee of DfT's ExCo. During the year additional approvals processes were put in place which mean that all project investments over £5 million are escalated through the DfT processes to the Cabinet Office, with major or innovative investments also considered by HM Treasury before approval. Some of these projects (or procurements) also have parallel approvals processes for supporting activities such as legal or consulting input.
The current ICT Let Programme is subject to the whole of this governance structure from DVLA through to DfT and then onwards to both Cabinet Office and HM Treasury.
Where there are crown representatives in place for contracts (as for our ICT expenditure: IBM, Fujitsu and Oracle; and our front office counter services: the Post Office®) then we also consult with and seek approval from the representatives to ensure that cross-Government procurement is as effective as possible. We engage actively with the Government Procurement Service to ensure that where we are a majority purchaser in Government we accommodate cross-Government requirements in our contracts.
All proposed projects are subjected to initial review at a Business Change Board and, if successful, are allocated to an operational area (for business as usual change) or, if significant, passed to the allocated programme for further study and exploration. Stakeholder support is sought, design principles established and an outline business case developed if appropriate.
The business case is approved and funding prioritised initially through the DVLA governance process. During 2010-11 (the last financial year) further steps were introduced at both DfT and Cabinet Office levels to review all projects over £5 million to ensure that all projects are consistent with the Government’s ICT strategy.
All significant projects, in both DVLA and DVA (as DVLA’s agent in delivering its Vehicles responsibilities in Northern Ireland) are subject to the prescribed ERG and HM Treasury risk assessment process and scoring. They are subject to an appropriate level of independent ERG reviews by high/medium risk reviewers appointed by the ERG at key decision points throughout their project lifecycle. Smaller/low risk projects are peer reviewed by internal reviewers through a similar process.
DVLA is critically focused on data security and complies strictly with legislative release provisions, Data Protection Act and Cabinet Office guidelines as its core functions encompass the management and maintenance of its significant driver and vehicle registers. This means responsibility for secure handling and maintenance of two of the largest databases in government, including data transmission and access control. It undertakes over 120 million transactions each year in respect of these databases.
As a result the CIO is one of the six Directors on the EB and has functional responsibility for operational delivery of all ICT services and the infrastructure that underpins our two critical databases. As discussed in previous Statements of Internal Controls (SIC) and subsequently confirmed through discussions at Audit Committee, the CIO also holds the Senior Information Risk Owner (SIRO) responsibility. The Head of Information Security, who manages the Information Assurance Group (IAG), has a direct line to me as CEO in the event of any conflict or concerns. Both the CIO and Head of Information Security also report separately to Audit Committee. I feel this is sufficient to mitigate the risk of merged CIO and SIRO functions and the current arrangement is giving a high level of assurance.
DVLA has authority delegated from its parent department DfT to accredit the Agency’s systems. All of our systems, including the DVLA network, are subject to risk assessment and independent review by the DVLA Government Accreditor. Specific authorisation is required for all new systems prior to going live and thereafter all systems are subject to a rolling programme of accreditation. This responsibility lies within the IAG. A network of Information Asset Owners (IAO) has the responsibility for protecting the data sets allocated to them. The data sets are recorded in an information asset table along with the associated risks and the IAOs have the responsibility for reviewing these risks and how the data is used on a regular basis. This is managed and enforced by IAG. The training of IAOs and the central record of information is the responsibility of IAG, along with defining and monitoring compliance with policies.
Our progress on securing and assuring the use of our data is measured against the Government Information Assurance Maturity model. The 2009-10 assessment was made by Communications and Electronic Security Group, part of the Government communications headquarters and has been used as a baseline to measure progress against the Information Assurance model. The DVLA Information Assurance Strategy is to achieve level two of this model throughout as this meets business requirements, but aspire to reach level three.
Subsequent self-assessments show we continue to make significant progress from the basic acceptable level (1) towards both our target level (2) and aspiration level (3). Results for the last year for the six areas were:
- Leadership & Governance: 3.00
- Training & Awareness: 1.82
- Risk Management: 3.00
- Through-life IA: 1.83
- Compliance: 1.80
Whilst the model itself has changed in terms of assessment since the benchmark, we are on track to meet the level 3 target in 2015. The major improvement is the revision of our data governance framework that has been presented and agreed at EB. This has increased control and improved our score against the 2010-11 assessment.
Work for the coming year will seek to focus on assured information sharing. This will give the EB an effective assurance on arrangements for releasing information and its use.
We continue to move data transfers from physical media to secure and encrypted electronic channels through our Electronic Links Implementation and Strategy Enablement system and this channel migration will continue until all transfers are electronic. Exchange of personal data by means of encrypted CDs remains our only physical transfer media for a decreasing number of external recipients. Information may now only be downloaded onto approved removable storage devices that are encrypted and strictly controlled. These devices are only issued on production of a business case approved by the Head of Information Security or myself.
All new services go through a comprehensive risk assessment before live operation, needing approval by the DVLA Government Accreditor. As part of this approval process, risks to the data being processed are formally evaluated and recorded in a Risk Management Accredited Document with the resulting risk assessment having to meet pre-set criteria prior to going live. The layered approach to physical security on all sites holding core data sets (drivers and vehicles) is fully operational, with ‘hot spots’ within the sites having specific security measures to give the most cost effective security according to the evaluated risk. Vehicle entrance is now controlled through automated number plate readers at our gates.
During 2011-12 there were nine low level data breaches (7 in 2010-11) involving specific individual records. None of the breaches required the Information Commissioner’s Office (ICO) to be informed. There is no suggestion that any of these information breaches could have been used to facilitate financial fraud against customers or other third parties.
Whilst we do not have to declare such low level breaches to ICO, we do report all breaches in compliance with best practice.
We have instituted comprehensive data handling training and assessment for all staff, who have to achieve a score of at least 80 per cent in the end assessment to meet our mandatory standards. The annual exercise was again completed ahead of schedule in 2011-12 and contributes to the cultural shift to improve further the control of our data and reduction in security breaches.
Operations Board (Chief Operating Officer)
Agency Change Board (fed by the four Programme Boards, with their own Project Boards) (Transformation)
Commercial Board (Finance & Strategy)
Finance Committee (Finance & Strategy)
Our sponsor directorate helps ensure that sufficient priority is afforded to operational delivery, progress towards Business Plan targets and management of risks to achievement through monthly challenge meetings with myself and the Finance & Strategy (F&S) Director. There are formal quarterly sponsorship meetings with the Managing Director of Motoring Services myself and my F&S Director.
Also, there are monthly meetings with DfT through the Policy Forum, Commercial Board, Finance Management Team and HR Directors Forum, in which current issues are explored and updates provided.
We report monthly to our sponsor directorate on progress against the Business Plan and to DfT Finance on progress towards financial targets and for cash forecasting. We contribute monthly to DfT transparency reporting on expenditure and contracts in respect of our own activities. The DVLA reports, together with emerging escalated risks and issues, are aggregated with those of other agencies and considered at the DfT Executive Committee (ExCo) and Group Audit Committee as appropriate.
I formally agree specific targets and success criteria with each EB member at the start of each year, directly from our published Business Plan. I meet each member individually on a monthly basis to assess progress against objectives. During the last year we instituted external feedback on corporate performance within our EB meetings. I meet regularly with the Non-Executive Board Members to review their performance and ensure the Civil Service Code is met – but with a positive aim to ensure that we gain greatest value from their external perspectives and experience.
For the wider staff, our staffing and grading structures remain relatively standard within the Civil Service and DfT. We have strict controls in place internally to prevent ’grade creep’ and adhere robustly to processes that determine the grade of each individual post. The annual overall review of salary scales is agreed first by DVLA Executive Board (EB), after recommendation by our HR function, but is then challenged and finally approved by both DfT and then HM Treasury.
Robust workforce plans and overall staff expenditure controls are exercised through the EB and their monthly management meetings, supplemented by my one-to-ones with individual Directors.
The Agency’s system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure to achieve policies, aims and objectives. It can, therefore, only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on a continuing process designed to identify and prioritise the risks to the achievement of DVLA and DfT policies, aims and objectives, the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically.
We do not try to eliminate all error and fraud with certainty as this would not be a cost-effective or even possible objective. The balance achieved is kept under regular review as circumstances change and new issues arise. The Executive (EB) provides guidance and leadership to managers on how to respond to risks they have identified by owning and managing key risks as well as issuing an explicit DVLA risk appetite profile to guide others. The Agency’s risk appetite is set by the EB according to the five categories of risk:
- Reputation: Cautious (preference for safe options that offer a low degree of residual risk and may offer limited reward).
- Operations: Open (willing to consider all potential delivery options and choose one most likely to result in success).
- Change Programmes: Open.
- Finance/value for money: Cautious.
- Legal/regulatory: Minimal (chose safe option with low degree of inherent risk).
This is refreshed at least annually and is linked to the appetite expressed by DfT Risk Officers and Directors who meet monthly to discuss their own individual Directorate risks, together with monitoring the actions on risks escalated to the DVLA Corporate Risk Register for which the individual members are responsible. The EB formally discuss high level corporate risks each month, concentrating on progress with the actions to avoid and mitigate the key risks. All risks have mitigating plans in place with responsibility for delivery clearly assigned. All corporate risks are allocated to specific EB members. Staff guidance on risk management is available on the DVLA Intranet for comment, contribution and information. Risk policies and processes are supported and maintained by Strategic Planning Group which is responsible for advising on corporate risk management and the escalation of risks from the risk and control framework to the EB and, if relevant, to DfT.
This system of internal control has been in place in the Agency for the year ended 31 March 2012 and up to the date of approval of the Annual Report and Accounts, and accords with HM Treasury guidance relating to corporate governance and management of risk. DVLA maintains risk registers at each level, including:
a) Programmes and Projects: All programmes and projects are overseen by Programme Boards and our Agency Change Portfolio Office (ACPO). Processes and registers conform to guidelines on the Management of Risk set by the Cabinet Office’s Efficiency Review Group (ERG). All Boards review their risk registers at each meeting and escalate risks that need wider handling.
b) Operational activities: Each Directorate maintains a Directorate Risk Register. These are all reviewed by the responsible Director and their management teams and updated at least monthly.
c) Corporate activities: The Corporate Risk Register contains risks with an exposure higher than defined by DVLA’s risk appetite profile. Risks include those escalated from directorate and programme registers, those added by EB members as a result of individual concerns or following the horizon scanning exercise which occurs twice each year and those raised by any individual directly with the Agency Risk Manager.
d) External Escalation: Risks with the potential to impact on the other motoring agencies or the wider DfT, because of scale or nature, are escalated through our sponsor directorate.
A formal self assessment process resulting in individual management assurance statements is required for all Directors and Senior Managers in which they acknowledge their accountability and assess the quality of risk management under their span of control. This is consolidated and provides input to the formal annual statement, assured by our Audit Committee that I provide to DfT at year end.
Our contracts or agreements with organisations for data sharing incorporate conditions for us to carry out inspection and assurance activities or visits in order to review controls in operation, and for us to monitor their compliance with the terms and conditions of supply.
We have significantly changed these contracts and requirements during the last year and made protocols and standards more robust. A large number of organisations are able to access our data through legislative means or through common law and we have established new controls and frameworks around these. Internal Audit reviews the Agency’s governance and risk management policies and processes annually, confirming compliance with departmental requirements and drawing on external practices to inform their assessment of their maturity and effectiveness.
Each DfT organisation has its own control responsibility and internal audit processes for those internal elements of the transaction streams that remain outside the SSC and each Accounting Officer has individual responsibility to ensure that the two sets of controls provide an environment of overall appropriate control for their own organisation.
The DfT Shared Services Director has provided four Assurance Reports during the year on the internal controls operating at the SSC, based primarily on internal risk and control monitoring activities and reporting processes but also upon assurances provided by DfT Internal Audit and other relevant risk/control reports and sources of assurance. The conclusion of the Shared Services Director is that the system of internal control has delivered effective internal control with a number of small exceptions which have not impacted on the accuracy of transaction handling or the production of financial statements. Weaknesses remain in terms of disaster recovery (this is in place but greater testing is desirable) and lack of a system for archiving/disposing of records (desirable but not essential), but neither have resulted in impact during the last year.
Throughout the year DVLA has continued to ensure that its own controls and processes are operating effectively, with manual checking of data integrity and accuracy where necessary. These factors, combined with SSC assurance reports, ensure that the combination of controls is appropriate and reasonable in terms of our overall internal and assurance requirements. The SSC provides monthly assessments of service levels and issues, discussed with DVLA at formal quarterly monitoring meetings. In addition, there are monthly assessments of controls provided to Information Asset Owners as part of the control processes. Approval processes in place for any changes proposed by individual business units or SSC ensure that objectives are still delivered and the control implications assessed, agreed and managed.
As part of the selection process for new contracts, tender evaluation incorporates whole life costing to ensure that value for money is considered throughout the life of the product/ service contract. Supplier performance is pro-actively managed for all key contracts let by the Agency to ensure that quality and service are maintained for the duration of the contract.
The Agency participated in an extensive programme of benchmarking reviews based on Better Quality Services principles during 2010-11 to confirm that a range of the Agency activities, principally its support functions, are delivered cost effectively.
a) Audit Committee: The EB and Audit Committee assist in developing and overseeing these assurance processes and the plans to address weaknesses, ensuring continual improvement of the systems remains a priority. These processes apply to all Agency activities and transactions in the DVLA business and VED accounts. The Chair of the Audit Committee reports regularly to the EB on the committee’s views on the effectiveness of internal control.
b) Internal Assurance: A single integrated structure has been established as Corporate Assurance Services to comprise carry out the core internal reviews. This works very closely with a range of other assurance providers including fraud unit (internal and external), commercial services, finance and Agency Change Portfolio Office. DVLA Internal Audit operates to prescribe Government Internal Audit Standards and provides me with an independent opinion on the adequacy and effectiveness of the Agency’s system of internal control, together with recommendations for improvement. The Agency’s Head of Internal Audit (HIA) has free access to the DVLA Audit Committee chair and to me as Accounting Officer, but also works closely with the DfT HIA as part of the group operating model. Its audit plan for the year encompasses all internal controls including assurance over the security and use of DVLA data, as well as assurance against contractual commitments and data protocols for those organisations that interact with us.
c) Monitoring of Specific Control Issues: We always take remedial action when we encounter control issues, but also closely monitor progress to full resolution. In the last two Annual Report and Accounts we reported two control issues:
Theft of documents from Supplier:
During 2006, DVLA rejected a batch of Vehicle Registration Documents (V5Cs) due to incorrect colour printing. They were returned to our suppliers as they believed they could overprint to the correct quality. This proved impossible and a number of V5C forms were stolen either between the printers and their contracted secure destruction company or at the latter. We commenced legal action in 2010-11 to recover the costs of reissuing all V5C forms in a new format and we are currently continuing to pursue our suppliers through legal processes.
Insolvency of Supplier:
We had one instance, in April 2010, of supplier insolvency leading to potential loss as a result of non-systemic failure to adhere to specified DVLA processes. This was reported in the 2009-10 SIC. Negotiation with administrators and new investors mitigated the losses down to relatively low levels and DVLA received a final distribution in April 2012 of £749,000, leaving DVLA with a shortfall of £982,000.
Current year issue:
Immediately before the end of the financial year DVLA became aware of a fraud in one of its local offices. Police investigations have been undertaken and an arrest has been made. It has become apparent that a loss of £66,000 has been incurred but we have acted to ensure that controls have now been improved to prevent any re-occurrence.
The nature of the fraud means that DVLA can trace the tax disks and vehicles involved and will pursue this with the police.
d) DVA Control Assurance and Vehicles Responsibilities: DVA is subject to internal audit review by the Department for Regional Development (DRD) in Northern Ireland. I draw assurance from the opinion the DRD HIA provides to the DVA Agency Accounting Officer. This is overseen by the DVA Audit Committee which is presided over by the chairman of the DVLA Audit Committee. With the Northern Ireland vehicles systems now physically relocated to Swansea and operating from DVLA data centres, the systems operations projects are now largely working directly within the DVLA processes and controls.
e) Head of Internal Audit Opinion: The overall opinion I have received from my HIA for 2011-12 is that reasonable assurance can be provided that the DVLA governance, risk management and control arrangements are appropriately defined and found to be working effectively.
In the cases that Internal Audit identified the need for control enhancements these were not deemed significant in the context of the overall control environment. Where enhancements were proposed, corrective action has been agreed and subsequent delivery is monitored closely both within DVLA by individual Directors, monthly reporting on outstanding issues at EB meetings and the DVLA Audit Committee, but also reported directly to DfT ExCo.
Actions against weaknesses identified have contributed to the overall assurance reported within this Governance Statement.
Accounting Officer and Chief Executive DVLA
13 June 2012
- Annual Report & Accounts 2011-12
- Annual Report 2011-12
- Annual accounts 2011-12
- Director's report
- Management commentary
- Remuneration report
- Business Accounts
- Trust Statement