In his report published today, Professor Ciaran Martin says the OBR is “a well-planned but significantly underpowered operation”.
Its “online capabilities, processes and procedures are insufficient for the vital and sensitive task it is entrusted to deliver.”
Every mission-driven organisation I’ve worked with has its own version of this problem.
The OBR ‘leak’ was caused by a flaw in a WordPress setup which felt familiar too. I fixed something similar in a previous role: thousands of supposedly private documents were being exposed by WordPress Media Library (being used as a file-sharing tool) and indexed by Google, accessible to anyone and everyone.
So how do organisations get into these situations? It’s not because people don’t care. Good people work at these places. But these good people inherit bad systems. Systems that seem to work and are assumed to be reliable, inside a culture where testing that assumption isn’t the done thing.
Martin’s report is an indictment of this complacency. It shows what happens when your organisation’s identity is closed off from the internet. The OBR saw itself as economic forecasters, not as owners of infrastructure that enabled the publication of its forecasts.
As my friend Sarah Jane Mace puts it: “your website is your organisation, online”. This is a subtle but significant mindset shift which matters greatly. It matters because designing, implementing and maintaining infrastructure requires different capabilities than pre-internet mission delivery.
OBR had just six people handling finance, HR, IT, communications and web operations between them. A handful of people operating infrastructure that moves markets with what Martin calls capabilities “more akin to that used by a small or medium-sized business”.
While some pieces of the puzzle were in place – risk registers, oversight boards etc. – it’s apparent that the team lacked the picture on the box: someone connecting what’s being published (market-sensitive forecasts) to the platform being used to do it (WordPress) and the practical behaviour of that system (predictable URLs).
So many organisations across the public and third sector have the same conditions. Inherited systems that, with some effort, still appear to work. Cultures where questioning the as-is state (“this could be better”) is seen as disruptive, not mision critical. Leadership with a singular focus of ‘mission delivery’ but not the infrastructure that delivers it. All resulting in digital being seen as important but adjacent, an ‘enabler’, not part of the organisation’s DNA.
Digital is the organisation. Not supporting infrastructure. It’s the thing in and of itself.
Getting that wrong has just cost Richard Hughes, the OBR CEO, his job. But, for most organisations, life goes on just as before.