Omnishambles 3

This is the third in a series of three articles about the award of a $30m+ contract awarded in 36 hours to a non-approved supplier by a Department in the Victorian State Government. The perspective adopted is not a political one, but rather an exploration of the procurement processes that led to what must rank as one of the worst examples of procurement malpractice in Australia's history.

The first article explored the sourcing process and the second article explored the contract terms. In this final article, I will explore the systemic issues raised for the Victorian State Government and for the status of procurement in Australia. All of the information referenced is in the public domain and my motivation is to highlight what happens when an organisation relies on external providers but lacks the capability to act as an intelligent customer.

Why is this important?

Unified Security was not on the Victorian State Government's own State Purchasing Contract for Security Services. In spite of this, the relevant State Government department gave the firm a contract for $30m after 36 hours of discussions, and subsequently, Unified's role was expanded to oversee security at 13 hotels. The company has come under scrutiny in the official inquiry into hotel quarantine because of allegations Unified sub-contracted work to guards not trained in infection control, who then contracted the virus while working at Rydges on Swanston.

Transmission between quarantined returned travellers and staff working at Rydges on Swanston and the Stamford Plaza led to Victoria's second wave of COVID-19, with its outbreaks directly linked to 99 per cent of coronavirus cases in Victoria. The second wave resulted in more than 750 deaths and nearly 20,000 infections, as well as a lockdown that has crippled the Victorian economy.

What has this got to do with procurement?

Everything.

1. The 'do or contract' decision was poorly handled in deciding to use private security
2. Procurement planning - even at the most basic level - was absent
3. Risk management was completely absent
4. The governance mechanisms that should have applied were bypassed
5. The sourcing process was risible
6. The procurement strategy was weak
7. The specification or scope of work was egregious
8. The negotiation process was a model of poor practice
9. The contract document was inadequate
10. Contract management was inadequate

Let's take Mary Poppins' advice and start at the very beginning

1 Do or Contract Decision

When I was involved in the rebuild of Christchurch after the 2011/2012 earthquakes, the client needed thousands of workers quickly. They decided to outsource the acquisition of trade services but to insource the accreditation of those workers.

This gave them the ability to validate credentials, licences and bona fides of workers, as well as the means to rescind accreditation for miscreants.

In Victoria, they did not do this. Accordingly, when sub-contractors themselves sub-contracted the work, the State lost control over the capability of the staff involved. Imagine if there had been an accreditation office within DJPR. Imagine if proposed workers were checked for visas, given appropriate training (in diversity and inclusion and infection control) and issued with PPE. Imagine the control that this would have given the State!

Learning Point #1

The 'do or contract' decision was flawed. The Victorian State Government knew the market was immature, so cannot claim that it was a shock when Unified Security (with 89 permanent staff) sub-contracted most of the 1759 posts that they were asked to fill. The Victorian State Government is not an intelligent customer and should not outsource complex services without a demonstrable step-change in capability.

2 Procurement planning was absent

Most parents reading this article will have put more thought into planning their child's 1st birthday party than went into this $30m high-risk project. Why did the Secretary of DJPR engage a team of well-meaning staff without the merest semblance of any commercial acumen to let a contract for a complex high-risk project for tens of millions of dollars at short notice?

In terms of stakeholder management, why didn't the team from DJPR engage their own Departmental procurement specialist? Why didn't they ask the State's Category Manager for Security Services for advice? Why didn't they undertake a risk management plan?

Learning Point #2

The Victorian State Government lacks commercial acumen. The Secretary of DJPR lacks understanding of the procurement function and the procurement process. He assumes that well-meaning amateurs can manage complex procurement projects and that the State's own contracts are little more than telephone directories. There needs to be a structured awareness-raising program to increase understanding of the procurement function and the procurement process for all senior Departmental heads in the Victoria State Government.

3 Risk management was absent

I have worked with practitioners at multiple levels of government in many jurisdictions and it is clear than risk management is a core capability of the public sector.

But not in this Department of the Victorian State Government.

This was compounded by the State Government's decision to restructure itself during a crisis and create eight 'missions' instead of using normal cabinet protocols. Who could have foreseen that using an untried and untested decision-making process during a crisis might lead to poor governance?

Mr Magoo.

The absence of any reference to risk in the planning and the risible attempts to transfer risk through the mechanism of a boiler-plated contract exposes the absence of risk management capability in DJPR. Many public servants will be shaking their heads that this level of incompetence and casual approach to risk management could happen.

How did the controls not work? Is this another example of the fabled swiss cheese model of how disasters happen?

Learning Point #3

The Victorian State Government lacks systemic controls on risk. What is the point in micromanaging officers spending $100 on stationery and then allow amateurs to bypass all controls when acquiring a high-risk complex service at short notice?

The Auditor-General needs to investigate the role of the Secretary of DJPR in signing a contract for $30m which was prepared by staff who ignored virtually every protocol and control that would have prevented this debacle. Simon Phemister was the notional mission head of procurement and logistics but appears to have no commercial savoir-faire whatsoever.

4 The governance mechanisms that should have applied were bypassed

There is a cliche about building a fence around three-quarters of your property and leaving one-quarter open. But isn't that exactly what happened here? From personal experience, I know that probity advisers are very popular with officers in this jurisdiction. Probity advisers can insulate officers from personal risk, and they can highlight potential breaches of governance.

So why didn't the officers involved in this debacle, from the Secretary down, consider what governance was appropriate? I have been writing case studies in procurement since the early 1990s but I would never write a case study featuring the apparent level of favouritism showed towards Unified Security. It wouldn't be credible.

So how did this happen?

The procurement specialist tried to introduce caution, but as is so often the case, urgency and escalation were used as excuses to find a way around the procurement 'blocker'.

Was a lawyer involved? Which other specialists were consulted?

Learning Point #4

The governance arrangements for (procurement) projects in the Victorian State Government are ineffectual. The State Purchasing Contract was 'mandatory*'

* except when a senior manager claims urgency and picks their preferred supplier over a mandatory contract with five suppliers.

What is the point in even having contracts? Most public entities have a scheme of delegated financial authorities...so which officer (or politician) had the delegated authority to approve this contract? The Secretary? Did Simon Phemister understand the residual risk he was accepting on behalf of the State?

The Auditor-General needs to investigate the role of the Secretary of DJPR in signing a contract for $30m which was prepared by staff who ignored virtually every protocol and control that would have prevented this debacle. One option is to separate the authority to spend money (expenditure approval) from the authority to select the supplier (commitment approval). This authority could be invested in another officer for higher-value projects to ensure that the selection of suppliers is undertaken with appropriate rigour and observes organisational standards. Like using existing contractsof approved suppliers.

The Auditor-General also needs to investigate the role of the VGPB. What does this body actually do, and given the systemic failures that this project exposed, is the VGPB fit for purpose as part of the procurement governance arrangements for the State Government?

5 The sourcing process was risible

The junior officers ignored an existing contract available to them online 24/7, 365 days a year and instead shared anecdotal stories about who they liked. Their reference to the security industry being full of 'cowboys' was projection; the DJPR officers were the real cowboys.

The most charitable take on why Unified Security was used is that the officers' commitment to identity politics meant that they were prepared to pay an extra $3m of taxpayers' money (11% of $27m) to use a security company that employed disadvantaged staff. Whether the other security companies on the State's Purchasing Contract also employ disadvantaged staff we do not know.

I suspect that they do, and the security guards are exactly the same people whichever company is engaged but wear different colour polo shirts depending upon who employs them. But hey, I am not an expert, and the staff from Global Victoria are. At least according to them.

Learning Point #5

Every officer should be aware of how to access State Purchasing Contracts. One option is to separate the authority to spend money (expenditure approval) from the authority to select the supplier (commitment approval). This authority could be invested in another officer for higher-value projects to ensure that the selection of suppliers is undertaken with appropriate rigour and observes organisational standards. Like using existing contracts?

Another option is to scrap the VGPB as a failed mechanism, and instead create a Chief Procurement Office. The CPO would be involved in approving contracts with a value above $25m. They might also sponsor a capability uplift program, like those that occurred in Queensland and South Australia. (Declaration of conflict of interest; I participated in designing both capability uplift programs)

6 The procurement strategy was weak

I know what you are thinking. Was there a procurement strategy?

One of the refrains that can be heard when discussing this issue is that "It was a crisis! They had to act quickly!" I have a colleague in the NZ Government who was tasked with acquiring half the World's supply of portable toilets after the Canterbury earthquakes. My recollection is that he used an Antonov cargo plane to ship them to NZ from China. At short notice. A procurement specialist. He didn't have much time for a market review. But he did one! And while that is goods rather than services, I also know the guy who wrote the strategy for acquiring trade services to rebuild domestic dwellings in Christchurch, because that was me.

Here's what a reasonable person would have done.

1. Separate out the immediate requirement (security guards on-site in 24 hours) from the ongoing ("business as usual") requirement
2. Create two contracts; a short term contract for two weeks. Price immaterial. Mobilisation time is everything.
3. And when that 'stop-gap' contract is in place, plan to let a second, much larger contract for the remaining 10 weeks. Focus on delivering value; risk mitigation, quality of security services provided, infection control protocols, % of shifts resourced, hourly rate. Oh, and if you can find disadvantaged workers who have the appropriate capability and qualifications, great! As a secondary source of value.

Let's address the fixed price. $30,200,000.

What in the name of all that is holy was that about?

How can anyone in their right mind commit to pay a fixed sum when they do not know how many hours of service will actually be provided?

Now call me a price-focused dinosaur if you like. But given the challenge of finding 1759 security guards at short notice isn't this incentivising Unified Security to provide security services with the minimum numbers of security guards possible? Why not pay a weekly sum based upon the number of shifts actually resourced?

Or would that have involved the staff in Global Victoria actually monitoring the contract instead of creating self-congratulatory videos?

And don't get me started on 'value for money'. The prioritisation of secondary sources of value - the engagement of disadvantaged groups as security guards - over the primary source of value - protecting the community - is a completely egregious failure. Social procurement has merit, of course, but don't give me lectures about good intentions when 750 people have died because of an officer's decision to award a contract to a company they liked.

Learning Point #6

The VGPB (or its successor body) should be tasked with defining 'value for money' in terms that prevent a repetition of this debacle. All officers tasked with developing procurement strategies should be supported by guidance that defines the relative weighting of social procurement objectives (5-25%) and primary sources of value.

That guidance should also address the use of fixed price contracts. This is a perfectly valid remuneration basis, especially when linked to a defined scope, known volumes, low complexity activities and work that can be split into bundles or linked to milestones. It is a completely inappropriate approach when linked to an uncertain scope.

As it was in this case.

One option is to accredit staff who have received training on contract strategy for a 36 month period and limit the development of procurement strategy to accredited staff. Another option is to train staff involved in procurement processes in how to manage procurement processes.

I know, I know. A wacky idea.

7 The specification or scope of work was egregious

I have rarely seen such an appalling wish list substituted for a specification. It was generated by the 'ground crew' working on site, and no one could add to it? Not the officers at base? Not the procurement specialist? Not the legal team? Remember that the contract was released a week after work started. Plenty of time to 'give consideration to' writing a proper specification.

There is an abundance of guidance on specification writing online. I do not accept urgency as an excuse. I have run training in specification writing from Manchester to Miami, from Melbourne to Manila, and it is not rocket surgery.

"Stop coronavirus from escaping into the community."

Seven words. A functional specification. Fit for purpose.

Simple.

Learning Point #7

The VGPB (or its successor body) should develop and sponsor guidance on specification writing. Only accredited officers (who have attended training on specification writing) should be allowed to draft scopes of work for complex services

8 The negotiation process was a model of poor practice

Does the public sector actually negotiate? As I have been Lead Negotiator for two projects for the Victorian State Government I can answer that question.

Yes, it does.

Did the officers in DJPR negotiate with Unified Security?

When buying more than 600,000 hours of security? Of course they did!

They got the rate down from $51 to $49.95!

A saving of $600k right there!

Of course, it isn't a saving. And the negotiation shouldn't have focused on price, but on risk. It appears that the ingenue in DJPR who was asked to negotiate with the CEO of Unified Security was out of her depth, and her counterpart David Millward is clearly an expert negotiator.

It is said that 'success is the brand on the brow on the man who aimed too low' and by that standard David Millward is a complete failure. I wonder what he asked for that was not accepted?

• premium rate ($49.95/hour), >10% higher than peers? Check!
• higher rates at night ($51.91/hour)? Check!
• even higher rates on Sundays ($89.28/hour)? Check!
• meal allowance of $15/pax/shift? Check!

Would it be churlish to mention that the meal allowance was not part of the contracts of the other providers of security services?

Probably.

My friend Tom used to say to me:

"Paul, do you know what sort of deals desperate people do?"

"No, Tom, I don't. What sort of deals do desperate people do?"

"Desperate deals, Paul. Desperate people do desperate deals."

And he's right, isn't he?

Learning Point #8

The VGPB (or its successor body) should limit negotiation to accredited officers (who have attended training on negotiation skills). (Conflict of interest declaration; I provide negotiation skills training)

The Secretary of DJPR should be counselled on delegating such a complex task to an officer so ill-equipped to perform the task they were asked to do

9 The contract document was inadequate

Normally contracts are subject to careful review and approval as they are the key document that defines legally enforceable promises.

Not in this case.

The contract document is appalling, from the wording to the myopic intent to transfer risk to a medium-sized company to the remuneration basis. I can't believe that a qualified lawyer approved this.

Learning Point #9

The VGPB (or its successor body) should limit contract drafting for high risk or complex projects to qualified lawyers or accredited officers (who have attended training on contract drafting and who have received guidance in configuring options in pre-approved contract templates).

The Secretary of DJPR should be counselled on delegating such a complex task to an officer so ill-equipped to perform the task they were asked to do

10 Contract management was inadequate

You didn't need me to say that, did you?

The photographs of security guards sleeping, engrossed on their phones, the stories of inappropriate behaviour.

Not to mention the fact that the guard's poor hygiene practices and lack of infection-control routines caused the largest industrial accident in Australian history.

Or rather the guards from one security company.

While the officers from Global Victoria were shooting a video congratulating themselves on a job well done, security guards were confused about

• Who had to provide PPE
• What policies applied to PPE
• How to treat distressed travellers
• How to deal with special dietary needs

There are no standards in the contract and no KPIs. The whole project is an abject lesson in 'muddling through'. That a $6m enquiry has yet to establish even which Department was in charge of quarantine arrangements reveals that this whole project was an omnishambles.

Learning Point #10

The VGPB (or its successor body) should limit contract management for high risk or complex projects to accredited officers (who have attended training on contract management). (Conflict of interest declaration; I deliver training in contract management)

The Secretary of DJPR should be counselled on delegating such a complex task to officers so ill-equipped to perform the task they were asked to do

Final thoughts

In 2003 I was asked by a loose alliance of CPOs in Melbourne ('the Melbourne Committee') to go to the UK to try to persuade the Chartered Institute of Procurement and Supply (CIPS) to replace the Australian Institute of Purchasing and Materials Management. CIPS had been asked previously but were proceeding at a glacial pace, and the members of the Melbourne Committee (Telstra, BHP Billiton, Coles, Australia Post etc) wanted to kick start a step-change in the capability of procurement in Australia. They hoped that CIPS would be the catalyst for that.

I was present a year or two later when Ken James (then Chief Executive of CIPS) gave a speech about how the future for procurement in Australia was bright. He opened the offices of CIPSA in Collins Street Melbourne and everyone shared a vision that we were on the verge of a new era for procurement in Australia.

Fifteen years later and those lofty ambitions and fine words appear hopelessly misplaced. Many people in business and the public sector have no idea what procurement is. Some have negative sentiments. The criticisms of the AIPMM that were prevalent in the early 2000s can now easily be transferred to CIPSA.

New players like World Commerce and Contracting (formerly IACCM) have engaged with new audiences and in particular, focused upon conversations with a wide range of practitioners outside the procurement community who are involved in commerce and contracting. This is to be welcomed by anyone who cares about the future of the procurement function. The days when procurement practitioners can act as a closed club have long gone.

This sorry tale is not just about one contract in one jurisdiction at one point in time. It is a shining example of the systemic lack of expertise in our State Government in engaging with external service providers. And rather than tut and shake out heads about the failures, we each need to ask ourselves what can we do to change things?

I plan to send these three articles to the VGPB ( I know!) and to the Auditor General in Victoria, as well as to my local MP. If you have suggestions about what might happen next, let me know.

A final word. These issues raise passions in people, and I have seen some silencing tactics used to squash criticism of the current administration in Victoria. It is never a good time to analyse what went wrong; always tomorrow, never today. So to anyone who thinks I shouldn't have written these articles, the next sections are for you! And if you are a consultant worried that if you speak up it may stop you getting more work in future, can I ask you if you are a 'trusted advisor'? Do you give advice that is 'frank and fearless'?

Well?

Something something... 'wait for the results of the enquiry'

No.

Anyone who has paid attention to the enquiry will know that the transcripts are in the public domain. You can see them here. The enquiry is focused upon who made the decision to use private security, I am focused upon capturing lessons learned in a timely manner while the subject is still fresh.

Something something... 'you are just criticising Daniel Andrews'

No.

There is a concerted attempt to silence commentary on this matter, hiding under the hashtag #IstandwithDan. I am critical of the officers in the Victorian State Government, especially in the Department of Jobs, Precincts and Regions (DJPR) and the role and contribution of the Victorian Government Purchasing Board (VGPB). I don't even mention Daniel Andrews.

Something something... 'you shouldn't name people who can't defend themselves'

No.

All the names mentioned and documents quoted are in the public domain. Most of the content is from the evidence tendered to the Board of Inquiry. If you have followed the Board of Inquiry you will know that no one is to blame for anything as no one can remember anything. So jog on.

Something something... 'it was a crisis and you are applying standards that are unreasonable'

No.

All organisations, be they Governemnt or private, have business continuity plans or disaster recovery plans or emergency plans. I have been involved in emergency planning in the public sector in both Northern and Southern Hemispheres. The reality is that the results in Victoria are in part due to the failure to use resources that were available, even on a Saturday.