As an organisation, we are committed to carrying out our regulatory duties efficiently, effectively and transparently, to deliver the best value for money for all stakeholders. We have made good progress against last year’s business plan deliverables on developing and supporting our people and modernising our ways of working.
Technology, data and processes
An important part of our technology strategy has been a continued focus this year on enhancing our cyber security to align ourselves with the Government Cyber Security Strategy 2022-30 and achieve a more cohesive and stronger ‘security first’ culture across the business. Alongside other government departments we were also required to complete Gov Assure to review security maturity.
We successfully completed the personnel security maturity model assessment, which has led to a greater understanding of security risks across the entire organisation and the part individuals play in protecting ORR. We engaged employees in a number of phishing campaigns to raise awareness and improve vigilance and will continue to do so in the coming year. We have begun work to improve our real-time network and external device monitoring for cybersecurity threats, with implementation of tools that can holistically scan across our estate and highlights any critical issues, and we will continue to invest in early warning protection.
We had intended to seek Cyber Essentials Plus certification this year, an assessment to help strengthen ORR’s protection against a whole range of the most common cyber-attacks. We decided that we could not evidence some of the requirements, so we undertook a number of gap analysis exercises offered by central government to help us understand what good looks like and how to gather evidence to complete the assessment in future. We took part in several tailored exercises specific to ORR and government, including one provided by the Cabinet Office that focussed on a targeted attack on internal threat risk.
ORR’s data strategy was launched in October 2023. Delivered at pace, the strategy supports our goal of being a forward-looking regulator by unlocking the value of data to improve day-to-day operations and deliver real insights that can lead to better regulatory decisions. Wide-ranging engagement with colleagues helped to develop the strategy and embed it in the organisation, and the strategy is being delivered through a detailed implementation plan.
The momentum created in designing the strategy helped ORR top the league table of Civil Service departments participating in One Big Thing, the government’s initiative on data literacy and skills, with 87% of our staff registering.
We achieved only partial adoption of the new case management system across the organisation. This new digital product will improve efficiency by enabling all data to be held in one place. We expect to complete adoption by all teams in 2024-25.
As planned, we completed our location move to our permanent new office in Glasgow. Success was down to excellent collaboration between our facilities team and the Glasgow team, resulting in a modern and vibrant workspace.
Supporting and developing our people
We launched our new diversity and inclusion (D&I) strategy in May 2024, and as part of our cycle of diversity and inclusion (D&I) learning across the organisation we ran mandatory inclusion training for all colleagues in 2023-24, using our MyLearning system. Mandatory training is part of ensuring continuous professional development and organisational health, and in the coming year we will build on this with bystander and inclusive recruitment training.
In January we introduced our new resolution policy, which focuses on informal resolution of complaints wherever possible, and was supported by joint learning between our HR team and trade union colleagues on how to have facilitated conversations. We deliberately delayed the roll-out of the policy to ensure that we had engaged effectively with colleagues on what was a significant change in policy, and this also meant it was aligned with delivery later in the year of director training on investigations, which complements our disciplinary and grievance processes. This training will be rolled out to other senior leaders in the coming year.
Our new fertility treatment support policy was introduced early in the year, with uptake by three members of staff so far. The policy offers special leave of up to five days per annum for those who are undergoing – or have partners who are undergoing – fertility treatment and is part of widening our employee benefits offering, to help the organisation attract and retain the talent we need.
ORR participated in the Women in Rail mentoring programme throughout the year, with very positive feedback from both mentors and mentees on its value. There are already a higher number of applicants this year and, given its success, we intend to embed the scheme into our business-as-usual development opportunities in future.
Our performance against 2023-24 business plan deliverables
| 2023-24 Commitment | Status |
|---|---|
| Conduct personnel security maturity model assessment | Met |
| Complete Cyber Essentials assessment | Cancelled |
| Implement more real-time monitoring fore cyber security threats | Met |
| Full adoption of the new case management system | Not met |
| Finalise workforce and location move to new Glasgow office | Met |
| Provide mandatory training on inclusion | Met |
| Provide mandatory senior management training on conducting investigations and managing discipline and grievance in the workplace | Met |
| Introduce a new ORR dispute resolution policy | Met |
| Participate in Women in Rail mentoring programme with 5 mentor-mentee opportunities | Met |
| Introduce a fertility treatment support policy | Met |
| Develop a corporate environmental strategy for ORR | Met |
| Develop a data strategy for ORR | Met |
Following a review of the Cyber Essentials criteria, it was clear that ORR were not in a position to complete the Cyber Essentials assessment in 2023-24. However, a number of third party audits and security strengthening measures have been completed in place of these planned works.
While most areas of the business are using the case management system, there are two areas which have not yet migrated onto the system.
Future plans
Our deliverables for 2024-25 are to: finalise our new three-year technology strategy and complete the first cycle of our rolling 12-month cyber security plan; provide fraud awareness and risk management training for colleagues; and revise ORR procurement policy and procedures to comply with new legislation. In line with the ambition of our diversity and inclusion strategy, our focus will also be on evaluating and benchmarking organisational culture with a culture audit, and strengthening our management and leadership capability, aided by the introduction of people information dashboards for managers and delivering bystander training over the year.