Business Maverick 12 January 2020
The Eskom Pension and Provident Fund sent a letter to Daily Maverick Editor-in-Chief Branko Brkic, criticising Business Maverick’s report on the pension fund’s flawed administration processes and potential compromised tender efforts in migrating to a new system come 1 May 2020. But their response leaves the reader with more questions than answers.
A letter sent by the Eskom Pension and Provident Fund (EPPF) to Daily Maverick and signed by CEO and principal officer Linda Mateza has been published. This is welcomed by Business Maverick. It opens up the slate for public debate and sets the stage for finding solutions.
The letter attempts to discredit the allegation that the version of the software underpinning the current system is hopelessly outdated, made in the previous report. This is in contradiction with the information contained in leaked emails addressed to the executive stating this fact and confirmation from insiders on the state of the matter as well. Business Maverick has asked the EPPF to prove otherwise and is awaiting its response.
Business Maverick also queried the reasons behind the fund’s decisions to not run the updates over the past eight years in which the system has been in operation, which is not apparent to those involved or evident in the paperwork at hand.
Meanwhile, the environment remains vulnerable to data integrity breaches, not to mention the problems introduced to the process of managing pension fund members personal data and valuating benefits by way of manual Microsoft Excel spreadsheets and unchecked input by individuals. The latter concern was ironically not even mentioned in the EPPF’s mail.
But the proof of the pudding is in the eating, and here are a few tasters.
In a letter addressed to the board of trustees and members of the executive board — which is a document available in the public domain — some examples of system failures due to these system shortcomings were quoted.
As part of an architecture project in 2018, there was an objective of conducting interviews with a small sample of EPPF members. To this end, a minimum number of 14 members had to be interviewed, yet it took in excess of 168 attempts to successfully do so, most often due to incorrect or non-existent data, provided via various Excel platforms.
“To further support these claims regarding data quality, one only has to go back to the December 2018 payment run”, the memo states. “As it happened multiple ‘dummy’ runs had to be made and a multitude of physical data fixes executed before a successful production run could be managed to pay the pensions of members in that month.
“It is important to note that not a single one of these dummy run failures were (sic) caused by the much-maligned Omni-system (provided by the current administration system vendor Global ASP), but rather by inaccurate data,” says the letter to the board.
And as mentioned in the previous article, there was the unfortunate incident where about 126 pensioners’ monthly payments were transferred to one individual at the end of 2018, due to an ill-managed data fix that erroneously applied a global update to a number of records.
If such types of errors are not seen as a threat to the livelihoods of pensioners and current contributors, then what is?
This was another question posed to the pension fund on Sunday 12 January 2020, to which Business Maverick expects a response in the upcoming week.
So it is safe to say that the integrity of the current system processes remains in question.
Where answers are also lacking, in both leaked internal documents and in conversations with insiders, plus what is lacking in the letter addressed to Daily Maverick is, is this how these shortcomings are being dealt with?
First, the statement made by the EPPF on the “yet to be finalised” tender process to appoint a new administrator “was undertaken with the aim of improving the processing of benefits, enhancing controls, reducing costs, and providing a better service experience to its members”, holds no water without addressing the underlying issue of questionable source data.
Second, there is the matter of gaining access to the so-called source data. Business Maverick has it on good authority that the EPPF requested access thereto from the current vendor via its attorneys in late 2019, yet Global ASP technically does not have access to it.
They only manage the system and are not privy to the input or the sources of the fund’s data. A board resolution and an indemnity form in terms of data quality need to be provided for Global ASP to provide such a data dump, which is not necessarily compatible with any other system or the Excel spreadsheets currently in use internally.
Gavin Williams, CEO of Global ASP told Business Maverick he will only be able to provide an acceptable written public response on queries during the week.
Meanwhile, the tender process is in full swing, according to the EPPF’s letter, and fully kosher. On paper, that cannot be refuted at present. However, the pension fund’s statement is a whole different kettle of fish, and a little foul-smelling at that.
Industry players and sources close to the matter that Business Maverick spoke to say it is nearly impossible to implement a new system in the timelines envisioned in the tender document, which is a mere seven months.
Here is what is being claimed, and provides the due diligence the EPPF alleges is lacking in the previous report in their correspondence — Business Maverick apologises in advance for the verbosity of the devil’s detail:
Typically, for a new system to be pursued, the board and executive need to reach an agreement and provide permission for a new solution to be investigated. This would imply a cost-benefit analysis, competitor analysis, risk report, as well as a clearly defined view of the business strategy.
This is usually a fairly drawn-out process that can last some months. If the system is core to the organisation then generally two to three months is an optimistic timeline for this phase.
An organisation would then typically go to market with a request for information (RFI), in which they try to assess who the potential providers would be, what the typical solutions offer and how it compares to broad requirements and expectations.
An RFI is a formal document that will ask some very specific and pointed questions that can take a few months to draft and structure, at least a month to distribute and receive feedback, and then needs some time to disseminate the feedback. This period might also include site visits to similar (yet non-competing) organisations to gain an understanding of best practice.
IT experts questioned are of the opinion that the full life cycle of an RFI is usually around three months when core systems are involved, but depending on complexity and number of potential respondents, may take substantially longer.
The next step is to draft a request for proposal (RFP) to determine the vendor of choice for the potential implementation of a solution, which in this case was an open tender. It comprises building a fairly detailed view of what the solution must be capable of in terms of basic and key functionality, nice-to-haves, integration capabilities, as well as what the implementation strategy will be in terms of the project scope.
The RFP will also delve into details such as empowerment credentials as well as compliance with South African laws and territorial requirements. Not to mention adherence to Popi guidelines and IOSCO standards.
For the scope of the EPPF project — replacing two of their three core systems at once — it would be short-sighted not to allow several months for this preparation.
In addition to the RFP, there is stakeholder engagement before the release of the RFP that adds substantially to such a timeline. A realistic timeline would be anywhere between three and six months, usually followed by a response time of anywhere between 30 days and several months, depending on the complexity of the solution.
It should, therefore, be assumed that the full lifecycle of the RFP from inception to return of responses will not be less than nine months.
A detailed pre-prescribed scoring and vetting process will follow the RFP process and may require site visits and engagement with specific vendors to ensure that scoring is underpinned by detailed understanding.
It goes without saying that the audit function plays a major role in this step to ensure objectivity, which the EPPF confirmed was in place.
Once a preferred vendor is chosen, an official announcement will be made, with a statement of intent, but with a reservation of the right to select another vendor from the shortlist should contracting be unsuccessful.
It is not clear whether the contract negotiations have been concluded with EBSphere — which owns the Everest solution as mentioned in the previous article — as the letter dated 10 January is the first public mention of the EPPF’s preferred vendor.
Only once the contract has been agreed will the vendor and client begin working together on delivering the implementation project according to the project timelines. Most often vendors don’t have full teams of implementation specialists on standby, so it is normal for this project kick-off phase to take at least a month.
Usually, at this point, the solution is understood right down to the deepest level of architecture, which if not already abundantly clear, represents a massive body of work, with extensive involvement by both vendor and client, and there is simply no way that any organisation that has applied due diligence to the design of its project can assume that this will take any less than six months.
Something that is of extreme concern, and needs specific mention here is user acceptance testing and the settling in period.
In order to achieve this, and as the EPPF works in monthly cycles, one would expect new and old systems to run in parallel for a period of at least three months to ensure that the system works as planned, and there is adequate time to make corrections as required.
This may be done either by retaining the old system post-implementation, allowing for an emergency roll-back if required or running the new system parallel to the old system, albeit in a test environment, for several financial periods before going live.
Business Maverick is reliably informed that the existing vendor will not agree to a short-term extension of the existing contract post-April 2020, without a contract in place.
So here we are, three months to the deadline. But no matter the approach, IT contracting is a highly complex matter, involving cross-functional teams from both the vendor and the client.
It includes cost and maintenance schedules, responsibilities of client and vendor, confirmation of detailed requirements and timelines, performance clauses, liabilities, breach, and of course all the contractual jargon corporate lawyers thrive on.
“It is perverse to believe that the conversion from one platform to another for two major business units (the financial and the administration systems) can be done in less than seven months,” an internal note to the board states, “transcend to two individual back-to-back tax years and maintain the financial record on two systems ahead of a June year-end where post-April no contract will enable any recourse to the outgoing system (to) exist and taking into account that standard practice is a freeze period of all systems support for an extended period over December to January.”
These concerns and risks around implementation were well documented in a roadmap presented to the executive in mid-2018, yet the decision was made to purge the CIO and close the project office shortly after that. It was followed by various notes sent to the executive highlighting the risks posed by an overhasty transition, and still the EPPF gave notice to Global ASP in March of 2019 that its contract will not be renewed without having a documented migration plan in place.
So the most imminent questions that remain and that were posed to the EPPF are:
If the migration fails come April 2020, why was this decision made to fire the CIO and go forward with an impossible implementation timeframe after continuous warnings of the risks involved were made evident to senior management?
If it doesn’t and goes live without a hitch, how is it possible that the current preferred vendor pulled it off without insight into the migration outside of the tender timelines and the intent of the executive to change to a specific service provider in the first place?
That leaves the members of the pension fund and their beneficiaries with a lot more questions than answers now doesn’t it? And Business Maverick awaits the EPPF’s reply.
In the meantime, one thing is certain: this inquiry is far from over.