Version Tracking

CONTENTS

1.      INTRODUCTION. 5

2.      PURPOSE. 5

3.      SCOPE. 6

4.      DEFINITIONS. 6

5.      POLICY STATEMENTS. 7

6.      DUTIES AND RESPONSIBILITIES. 8

7.      PROCESSES. 11

7.1   Planning & Control 11

7.2   Procurement of IT Assets. 11

7.3   Procurement of IT Systems. 12

7.4   Procurement of Maintenance 13

7.5   Contract Management 14

7.6   Asset Management 14

8.      TRAINING REQUIREMENTS. 15

9.      REFERENCES AND ASSOCIATED DOCUMENTATION. 15

10.    EQUALITY IMPACT STATEMENT. 15

11.    MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS. Error! Bookmark not defined.

EQUALITY IMPACT SCREENING TOOL. Error! Bookmark not defined.

QUICK REFERENCE GUIDE

For quick reference the guide below is a summary of actions required. This does not negate the need for those involved in the process to be aware of and follow the detail of this policy.

1. Failure to engage with Procurement Services and the IT Department within adequate timescales may result in delays, and possible cessation, of procurements of IT Assets and Systems.  Further, it could result in purchased items not being fit for purpose or incompatible with the wider IT systems and network operation.

1. This policy is applicable to the day to day management of IT Assets and Systems by each ORFIL Department and applies to all IT Assets and Systems purchased by or on behalf of the ORFIL, including Computer Systems, individual pieces of computerised equipment, software and any equipment that is to be connected to or used with IT infrastructure (e.g. IT Systems, and equipment that will transmit data across the ORFIL’s network.).

1. It is the policy of the ORFIL that all procurement of IT Assets and Systems (is led by ORFIL Procurement Services and undertaken and implemented by the IT Department in conjunction with the Department or Client Lead.

1. All procurement will be subject to adequate controls, process and procedures being applied, based upon its estimated value. In all instances the ORFIL’s Standing Orders, Standing Financial Instructions, Procurement Policies and ORFIL Procurement Services requirements and codes of conduct apply when procuring IT Assets and Systems and a business case needs to be approved when required as per the ORFIL’s Business Case Policy..

1. Whole Life Costs must be considered including any extensions. Contracts for IT Systems will have a determined duration; before contracts expire the ORFIL needs to consider the market and the current ORFIL needs. 

1. All IT Systems purchased shall be assigned Information Asset Owners (IAO) and registered in the ORFIL’s information asset registers. 

1. IT Assets and Systems shall only be used within their contracted and procured limits.

1. All IT Assets and Systems shall be adequately administered and maintained to ensure they remain fit for purpose and compliant with licenced conditions of use during the whole life of the Asset or System.

1. The following diagram illustrates the Procurement process to be followed.

1.        INTRODUCTION

This policy forms part of an overall set of ORFIL policies that define and control deployment and use of the ORFIL’s IT Assets and set standards and practices for information security management.

Information technology is a key asset used to support the delivery of the ORFIL’s Lending services and management processes.  The hardware and software that makes up core IT Systems and infrastructure; the data processed and stored; and information flows supported are vital resources for the ORFIL.  They must be procured, supported, maintained, protected and disposed of accordingly.

Poor procurement and asset management of IT Systems and individual components pose grave risks to the ORFIL, its staff and customers.  It can lead to unplanned expenditure, wasted money and staff time, failure of Systems and equipment to perform as required, disruption of core IT infrastructure (and thus ORFIL services), prosecution or levy of fines for breach of software licensing and inadequate supplier support in event of failure.  

The ORFIL ensures its statutory obligations are met through the implementation of financial and procurement policies, standing orders, requirements, guidelines and the engagement of authorised and expert resources.

It is the policy of the ORFIL that all procurements of IT Assets and Systems must be undertaken and implemented:

• by ORFIL Procurement Services and the IT Department in accordance with this document and the ORFIL’s Standing Financial Instructions, Standing Orders, policies and requirements;

Failure to engage with ORFIL Procurement Services and the IT Department in necessary timescales may result in delays, and possible cessation, of procurements of IT Assets and Systems, and could result in purchased items not being fit for purpose or incompatible with the ORFIL’s wider IT systems and network operation.

2.        PURPOSE

This policy intends to create awareness of obligations related to the procurement and management of IT Assets and Systems, and specifically aims to ensure that IT Assets and Systems purchased for use by the ORFIL align with the ORFIL’s strategic plans and route maps; comply with standards set through the ORFIL’s IT policies and guidelines and; are compatible, supported and maintainable in line with the contract agreed.

This policy is designed to: 

• establish the process to procure and manage IT Systems and  Assets;
• protect the ORFIL from risks associated with poor and inappropriate procurement and management of IT Assets and Systems;
• lay out the requirements to ensure Systems are used within their defined and contracted limits;
• ensure purchases align with the ORFIL’s strategic plans and comply with set standards;
• ensure IT Systems are registered within the relevant Information Asset Registers;
• ensure IT Assets are registered within the IT Department asset management system; and 
• ensure IT assets are compatible, supported, maintainable and correctly licensed.

This Policy does not stand in isolation, and must be implemented in conjunction with the wider range of procurement and financial policies, standing orders and standards of the ORFIL.

3.        SCOPE

3.1       This policy applies to all IT Assets and Systems purchased by or on behalf of the ORFIL.   Including:

• Computer Systems.
• Individual pieces of computerised equipment.
• Software.
• Equipment that is to be connected to or used with IT infrastructure such as peripheral equipment, that electronically stores files/data on the ORFIL’s central file storage IT Systems, and equipment that will transmit data across the ORFIL’s network.

3.2       This policy applies to IT Assets and Systems purchased via any funding source.   For the benefit of doubt this includes but is not limited to:

• Revenue budgets
• Capital expenditure

3.3       This policy applies to all persons (including employees, voluntary and workers, contractors, agency and sub-contract staff, partner organisations, suppliers and customers) who intend to procure or request the procurement of IT Assets and Systems for use by or on behalf the ORFIL.

4.        DEFINITIONS

4.1       The term ‘IT System’ is used to cover the combination of application and operating system software, databases, servers and other infrastructure and devices used to access and use applications.  Systems are usually intended for use by many people.

4.2       The term ‘IT Asset’ is used to cover all items of computer hardware and software used by or on behalf of the ORFIL and equipment that connects to it.  This includes devices (e.g. computers, lap tops, tablets and smart devices), peripheral equipment (e.g. printers, cameras, scanners) and software for use on, or with, computer equipment.

4.3       The “Information Asset Owner” or “IAO” is a senior member of staff who is the nominated owner for one or more identified Information Assets of the ORFIL and is responsible for the management and control of the Information Assets together with their contracted arrangements.

4.4       “Information Asset”  means IT System, paper system or any other identifiable collection of data stored in any manner and recognised as having value for the purpose of enabling the ORFIL to perform its business functions.

4.5       The “Client Lead” is a senior member of staff who is the nominated lead for the requesting Service or Department wishing to procure an IT Asset or System.   This person may also be the IAO or Service / Department Manager responsible for management of their Service / Department’s IT Assets or Systems, but is identified separately in this document to distinguish procurement responsibilities from ongoing IT asset management responsibilities. 

4.6       “Software” means machine readable instructions, programs, libraries and associated documentation that are used by computers to perform general and specific tasks and functions. 

4.7       “Whole Life Cost” includes but is not limited to the initial purchase cost, installation and configuration, interfaces and integration with other systems, data migration and any other bespoke development, training, software, escrow agreements, hardware costs (initial and any projected mid-term refresh), consumables, licenses, and annual support and maintenance costs totalled over both the initial core term and any optional extension periods. It should also consider and include the possible future expansion of the system in terms of functionality and scope and any increase in the number of users that need to be licensed.

5.        POLICY STATEMENTS

5.1       All IT Assets and Systems purchased by the ORFIL are the property of the ORFIL and:

1. shall be deployed and utilised as deemed most effective to the ORFIL’s needs, and objectively demonstrate best value for money is obtained; 
2. follow best procurement practice as per the ORFIL Policies and applicable legislation

5.2       Procurement of IT Assets and Systems shall be subject to necessary controls that ensure:

1. The strategic fit, alignment and prioritisation of items being purchased
2. Technical, operational and maintenance compatibility with appropriate existing IT Systems and infrastructure
3. Benefits of purchase are identified and realised
4. Compliance with legislation and the ORFIL’s own governance and control requirements (e.g. Information Governance) are met

5.3       In all instances the ORFIL’s Standing Orders, Financial Instructions, Business Case and Procurement Policies and ORFIL Procurement Services requirements and codes of conduct apply when procuring IT Assets and Systems.

5.4       All procurement will be subject to adequate process and procedure being applied, based upon its estimated Whole Life Costs, as defined in the ORFIL’s Standing Financial Instructions and guided by ORFIL Procurement Services.

5.5       Procurements of IT Assets and Systems must be undertaken and implemented by the IT Department, who are responsible for engaging with ORFIL Procurement Services.   Requesters intending to procure IT Assets or Systems for use by the ORFIL must undertake such procurement through, or with the written approval of, the Director of Procurement and Commercial services at ORFIL Procurement Services and the Head of the IT Department.

5.6       Based upon estimated Whole Life Cost (including extensions), as per ORFIL Standing Financial Instructions, and as defined in requirements and guidance provided by ORFIL Procurement Services, all procurement within the ORFIL is to be subjected to adequate processes and procedures being applied. Contracts will have a determined duration (no rolling contracts are allowed) and before contract expiry, the ORFIL will consider the market and the current ORFIL needs.

5.7       The IT Department shall not, without adequate and suitable further justification, approve or proceed with the procurement of IT Assets and Systems that do not comply with the requirements of this policy, plans, standards or expectations.

5.8       All IT Assets purchased (excluding consumable items, e.g. keyboards, mouse, etc.) shall be registered in the IT Department’s asset management system and asset tagged before being issued or put into use.

5.9       All IT Systems purchased shall be assigned Information Asset Owners and registered in the ORFIL’s information asset registers.

5.10     IT Systems shall only be used within their contracted and procured limits.

5.11     IT Assets and Systems shall be adequately administered and maintained to ensure they remain fit for purpose and compliant with licenced conditions of use during the whole life of the System and Asset.

5.12     The extension of the scope or functionality of an IT System beyond that originally approved for purchase shall constitute and be subject to the same criteria as the procurement of a new IT system. 

6.        DUTIES AND RESPONSIBILITIES

6.1       IT Committee

6.1.1    The IT Committee acts as the point of escalation for issues arising from this Policy.

6.2       ORFIL Procurement Services

6.2.1    ORFIL Procurement Services and its staff are responsible when engaged by the ORFIL for:

• Ensuring that any requests for IT Assets or Systems received directly are referred to the IT Department for review and technical approval before procurement is initiated.
• Ensuring best value for money is obtained, taking into account lifetime costs associated with purchase of goods and services.
• Provision of expertise, market intelligence, material and guidance to support sourcing, specification, evaluation, negotiation.
• Working closely with the IT Department and the requesting Department ensuring due process is followed.

6.3       The IT Department

6.3.1    The IT Department and its staff are responsible for:

• As part of the annual ORFIL Business Planning cycle, collating all IT investment requirements notified to them by Services and Departments,  involving appropriate stakeholders in prioritising them in accordance with ORFIL Strategy, gaining formal approval for the annual IT Development Programme and notifying Services and Departments which investments will be funded.
• Managing the procurement of all IT Assets and Systems on behalf of the ORFIL in accordance with this policy
• Arranging the assignment of Information Asset Owners and Lending Safety Officers for core IT Systems and infrastructure.
• Engaging and working closely with ORFIL Procurement Services to provide specialist procurement support at every stage of the procurement.
• Agreeing sources and channels for the provision of IT Assets with ORFIL Procurement Services.
• Reviewing IT Assets and Systems to verify that they align with the ORFIL’s strategic plans, route maps and standard equipment lists and; comply with standards set through the ORFIL’s IT policies and guidelines.
• Upkeep and maintenance of IT asset management procedures including configuration and asset management databases.
• Registration and control of IT equipment.
• Supporting creation of specific required documentation to undertake a procurement process such as specification and evaluation criteria or assist the Client Lead when Lending systems are to be purchased. 
• Compliance with agreed terms and conditions for the IT Assets and Systems for which they have ongoing day-to-day responsibility.
• Contract and asset management of IT Assets and Systems for the IT Assets and Systems for which they have ongoing day-to-day responsibility.

6.4       Service and Department Managers

6.4.1    In addition to the other responsibilities and duties detailed in this policy, Service and Department Managers are responsible for:

• As part of the annual ORFIL Business Planning cycle, notifying the IT Department of all IT investment requirements for the forthcoming financial year with details of risks incurred by not making the investment, benefits of doing so and likely funding sources.
• When notified by the IT Department of IT investments which may be funded, following appropriate ORFIL approval routes to gain formal approval to make the required investment, involving the IT Department. 
• Nominating an appropriate ‘Client Lead’ to represent the Service or Department throughout any subsequent procurement.
• Ensuring that the IT Service Desk is informed, at the earliest opportunity, of reallocation and relocation of IT Assets (providing all asset numbers and new locations).

6.5       Client Lead (Budget Holders, System Requestors and Managers)

6.5.1    In addition to the other responsibilities and duties detailed in this policy, The Client Lead is responsible for:

• Ensuring that their permanent and temporary staff and contractors involved in IT Asset or System procurement have read and understood this policy.
• Ensuring timely engagement with the IT Department and ORFIL Procurement Services in the purchase of IT Assets and Systems.  Ideally this will be at initial ideas stage and, at latest it must be prior to any decision making or approval.
• Ensuring that funding and expenditure for IT procurements is authorised in accordance with this and the ORFIL’s wider policies and procedures and aligned to central road map.
• Identifying Information Asset Owners, Information Asset Administrators and Lending Safety Officers for IT Systems which are not classified as ORFIL-wide Information Assets.
• Providing documentation requested by the IT Department and ORFIL Procurement Services to undertake the procurement process, such as specification of requirements and evaluation criteria when IT Systems are to be purchased.
• Defining internal roles and responsibilities when participating on a tender exercise and ensuring that staff involved in procurement decisions are appropriately trained by ORFIL Procurement Services.
• Committing time and resources to the procurement process as required.
• Ensuring that the IT Assets or Systems are compatible, supported and maintained and in accordance with the terms of the license.
• Ensuring the use of IT Systems is in line with the terms and conditions agreed with Suppliers and reviewed by ORFIL Procurement Services.

6.6       Information Asset Owner (IAO)

6.6.1    In addition to the other responsibilities and duties detailed in this policy, The IAO is responsible for:

• Registration of the IT System on the Information Asset Register.
• Ensuring that the IT Service Desk is informed, at the earliest opportunity, of reallocation and relocation of IT Assets (providing all asset numbers and new locations).
• Assignment of Information Asset Administrators for each IT System for which they are responsible.
• Ongoing compliance with contract and license terms and conditions of IT Asset and System usage.
• Day-to-day asset management including monitoring of licenced usage and arrangement of adjustments in licenced capacity as might be required. 
• Contract management of IT Assets and Systems.
• The provision of adequate ongoing support and maintenance arrangements.
• Ensuring timely engagement with the IT Department and Procurement Services in purchase of replacement IT Assets and Systems.  This must be sufficiently in advance of termination of an existing contract to allow time for a competitive procurement to take place.

6.7       Staff

6.7.1    Every member of staff is responsible for ensuring that they comply with this and related ORFIL and IT policies, processes related to this policy, guidelines and safe working practices.

7.        PROCESSES

7.1       Planning & Control

7.1.1    For provisions to be included in consolidated IT financial and resource planning, requirements for IT Assets and Systems must be identified through one of the following channels:

• The annual business planning and IT capital planning process; or
• The IT Department’s new business workflow.

7.1.2    In addition to the specific controls details in clause 5.2, procurement of IT Assets and Systems are subject to the ORFIL’s controls and measures that operate at any given time; including but not limited to approved business cases and ECF (Expenditure Control Form)

7.2       Procurement of IT Assets

7.2.1    On behalf of the ORFIL, and in consultation and agreement with ORFIL Procurement Services, the IT Department is responsible for identifying and managing sources and channels for the purchase of IT Assets.

7.2.2    Enquiries and requests for individual IT Assets (those that do not constitute a system) must be submitted to the IT Department Service Desk and ORFIL Procurement Services in accordance with current ordering processes and procedures.

7.2.3    Enquiries and requests will be processed by the IT Department Service Desk in accordance with established procedures and published timescales, engaging ORFIL Procurement Services.

7.2.4      Before finalising orders, the IT Department Service Desk will advise the requester of:

• Additional hardware and software items and services that might be required to fulfill the request.
• Changes to the requested items to meet the requirements of this policy and ORFIL IT standards.
• The costs of the purchase (initial and on-going costs) with the input of ORFIL Procurement Services.

7.2.5    Adequate procurement process shall be followed as per the ORFIL Financial Instructions; and by utilising existing Framework agreements whenever possible and as long as best value for money is provided. 

7.2.6    Once the details of the order are agreed, the IT Department Service Desk will raise an electronic requisition and submit it to the budget holder for approval together with technical approval. If all the information required is contained within the requisition, a purchase order will then be raised and processed by ORFIL Procurement Services. 

7.3       Procurement of IT Systems

7.3.1    All IT System procurements will be undertaken and implemented as formal projects which conform to the ORFIL’s adopted project management model 

7.3.2    Subject to prioritisation within the ORFIL’s IT Development Programme, the IT Department will assist the Client Lead in completion of a feasibility review, which defines the proposal and takes account of all relevant factors to determine the viability of the proposal, and which amounts to an Outline Business Case and covers aspects including:

• Funding and capacity, including Whole Life Costs.
• Additional hardware and software items and services that might be required to fulfil the request. e.g. licences, interfaces, maintenance and/or support.
• Completion of Information Governance Due Diligence Form and Privacy Impact Assessment to ensure compliance with Data Protection Legislation.

7.3.3    Provided viability is proven, ORFIL Procurement Services and the IT Department Programme Team will assist the Client Lead with development of a project brief (and business case if required) for presentation and approval by the funding body.

7.3.4    Regardless of funding availability, procurement of any IT system (or proposal for expansion, upgrade or development of existing system) and associated services with costs exceeding thresholds set out in the ORFIL Standing Financial Instructions must be approved by the relevant ORFIL body prior to any commitment of funding.

7.3.5    ORFIL Procurement Services will advise how to follow the appropriate procurement route. The Procurement process will depend on Whole Life Cost and complexity, as per ORFIL Standing Financial Instructions. 

7.3.6    ORFIL Procurement Services shall provide a specification template and specification questionnaire and evaluation model template (on request) which highlights aspects to take into consideration when drafting a specification, questions to test responses to tender and evaluation model to score the responses, taking into account the number of licenses required.  

7.3.7    The IT Department and/or Client Lead will provide an outline specification and relevant information in relation to the IT system to be procured using ORFIL Procurement Services’ template specification.  Such specification and information shall include adequate consideration and documentation of all requirements including functional, outcome, software usage and licencing, implementation, maintenance and support. The IT Department will provide content on the IT standards to be adhered to.

7.3.8    ORFIL Procurement Services will advise on gaps and adequacy of the specification and will assist the IT Department and/or Client Lead in putting together evaluation criteria. Details regarding the Procurement Process are contained within ORFIL Procurement Services Procurement Procedures Manual.

7.3.9    Once the appropriate procurement route has been followed and the procurement outcome has been approved a requisition will be processed containing all relevant documents (including but not limited to approval documentation, commercial proposal accepted, and terms and conditions applicable) for ORFIL Procurement Service to raise a valid purchase order.

7.3.10   Due procurement process shall be followed unless there is a specific justification not to enter into competitive process as per the ORFIL Standing Financial Instructions.

7.3.11  The Contract will have a determined duration which may or may not include extensions depending on the ORFIL needs (extension cannot be longer than initial term). At least six months before the contract expires or before the contract renewal /termination notice period the Information Asset Owner or Client Lead will need to engage with ORFIL Procurement Services and the IT Department to analyse the current ORFIL needs, the state of the market and re-start the procurement process.   This is especially important where existing licensing prohibits the use of the IT System when the current contract expires.

7.4       Procurement of Maintenance

7.4.1    Maintenance can be purchased for IT Assets and IT Systems within the tender process or as a separate process. The purchase of IT Systems shall consider the Whole Life Cost including maintenance.  When possible, suppliers shall be required to provide a guarantee period and specify the costs of maintenance during the duration of the contract (Whole Life Cost considerations) and tender documents shall specify if the requirements include maintenance costs.

7.4.2    If Maintenance is to be purchased separately from the IT System the same process shall be followed as per Section 7.3 above.

7.4.3    The Contract will have a determined duration. With sufficient time scale before the contract is due to expire the Information Asset Owner or Client Lead will need to engage with the IT Department and ORFIL Procurement Services to analyse the current ORFIL needs, the state of the market and re-start the procurement process.

7.5       Contract Management

7.5.1    All IT Systems purchased shall be assigned Information Asset Owners and registered by them in the ORFIL’s information asset registers. 

7.5.2    Once the procurement outcome has been approved, and the requisition has been raised, contract terms and conditions shall be completed with the input of the Client Lead and the IT Department as per the terms and conditions specified within the procurement process. The Contract shall be signed by a ORFIL authorised representative as per the ORFIL’s Scheme of Financial Delegation.

7.5.3    Unless agreed to be a ORFIL-wide application, once the contract is in place the System’s Information Asset Owner is responsible for the management of the contract and asset.  The IAO is expected to understand the overall business goals, the terms of the contract and how the information assets contribute to and affect these goals. 

7.5.4    Any required changes in the contract will be consulted with the ORFIL Procurement Services and the IT Department, who will advise the need to undertake a separate procurement process, or whether the changes are permitted within the existing contract.

7.5.5    The IAO shall initiate actions to ensure that extensions and/or replacements of contracts are undertaken with sufficient time scale being allowed for necessary review, re-specification, procurement, contract award and signature.  This should commence at least 6-12 months before the current contract expires.

7.6       Asset Management

7.6.1    IAOs and other Department functions and roles with assigned responsibilities for asset management of IT Assets and Systems shall establish and maintain local processes that comply with other appropriate policies, IT guidelines and safe working practices and procedures of the ORFIL.

7.6.2    IAOs will ensure that up to date asset records; including contract details, software licences, conditions and media, etc. are either:

• Locally and securely controlled and stored in accordance with IT guidelines and available for inspection and use at reasonable request; or
• Under prior agreement, held by the IT Department on behalf of the Information Asset Owner with local records making such reference.

7.6.3    IAOs will ensure that usage is monitored to verify System and software licence compliance, and will instigate corrective and remedial actions to maintain compliant usage with contracted and licenced conditions.

7.6.4    IAOs will ensure that System / Asset utilisation is regularly review of and necessary action instigated to ensure efficient and effective usage is being obtained.

7.6.5    IAOs will ensure IT Assets and Systems are retired, archived and disposed of, in consultation with the IT Department. 

8.        TRAINING REQUIREMENTS

8.1       Members of staff are individually responsible for ensuring that they comply with ORFIL policies and procedures.

8.2       Specific questions relating to IT procurement can be addressed to the IT Department Service Desk.

8.3       General questions relating to procurement can be addressed to ORFIL Procurement Services, which also provides Bite Size procurement training.

8.4       Information Asset Owners are required to complete the mandatory Information Governance / Risk Assessment training.

9.        REFERENCES AND ASSOCIATED DOCUMENTATION

9.1       The ORFIL aims to adopt other standards and recognised best practice it considers appropriate, including:

10.      EQUALITY IMPACT STATEMENT

10.1     ORFIL is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds.

10.2     This policy has been assessed accordingly.

10.3     Our values are the core of what ORFIL is and what we cherish.  They are beliefs that manifest in the behaviours our employees display in the workplace. 

10.4     Our Values were developed after listening to our staff.  They bring the ORFIL closer to its vision to be the best Customer Experience in lending, ensure that our customers are at the centre of all we do.

10.5     We are committed to promoting a culture founded on these values which form the ‘heart’ of our ORFIL:

Working together for customers

Working together with compassion

Working together as one team

Working together always improving

10.6     This policy should be read and implemented with the ORFIL Values in mind at all times