You used the phrase “red alert”. I would push back slightly on the use of the word “alert”. We are using a well-developed and familiar risk management framework. We look at particular issues with reference to the magnitude of their potential impact on the programme and the probability of their happening, and we assign them a red, amber or green level. That helps us—like any programme manager—to focus resources and activities. The fact that something is green does not mean that we are not looking at it; it just means that it does not need the immediate attention that something that is red needs.
The rating for a particular item is a combination of the potential impact and the probability. If something that could have a relatively low impact on the project was moderately likely to happen, it could end up as amber or even green.
If we did not do the identification of the Scottish taxpayer population right and did not get a high level of accuracy of identification, that would have a significant impact on the whole project. Although the potential impact is high, we do not think that the probability is particularly high. However, when we take account of the probability and the impact together, that gives the identification of the Scottish taxpayer population an overall risk measurement of 18, which is in the red zone, so it is a red risk. That is the background.
I will distinguish between the rating that is given to individual risks and our view of the programme as a whole, which we regard as being very much on track. We are confident that the SRIT will be delivered on schedule in April 2016. Having one or more red items in a risk register is entirely normal; in a sense, it is reassuring, because it shows that we are focusing continuously on the areas into which we need to put resources.
As for the specific risk—on which I gave evidence to the Treasury Committee of the UK Parliament before Christmas—we do not have the power to compel people to notify us of changes of address; I do not remember whether I told you that previously. Therefore, we cannot be completely confident that our register of names and addresses is 100 per cent accurate and nor can we be confident that our programme of communication and publicity over this year will tease out all the individuals whose addresses have changed. In effect, those are the risks that are reflected in the risk register.
We have been considering the use of third-party data that we can calibrate against our data to identify individuals for whom there is a mismatch between our record of their address and that in other data sources. That would improve the overall database’s accuracy. That is the mitigating action for the risk.
Since the risk register was prepared, we have made progress. Sarah Walker might want to say a bit about where we have got to with using the electoral register as a third-party source of data, on which progress has been made in the past couple of days.
11:30