Skip to main content

About the author

Andrew Wright

Head of TRPM Product

Andrew Wright is Head of TPRM Product, and first joined Thomas Murray in 2002 as a Business Analyst. Andrew is responsible for working with our clients and developers to research the market for TPRM solutions, and to drive the roadmap for our leading Orbit Risk platform for monitoring third and fourth parties through due diligence, cyber security, and risk intelligence capabilities.

Over the course of 1999 and 2000, the UK Post Office started installing a new accounting system in branches run by its franchise holders (or sub-postmasters). Called Horizon, and created by Fujitsu, it would be the start of a tragedy that ruined the lives and reputations of hundreds of sub-postmasters across the United Kingdom.

More than 20 years later, a public inquiry into the Post Office scandal is still uncovering the full extent of the damage. Meanwhile, Fujitsu may no longer be on the UK government’s approved vendor lists, but it remains a ‘preferred supplier’ and its third-largest supplier of IT services.

“The biggest miscarriage of justice in UK history”

The very brief version of this story is that Horizon contained a fatal flaw that made it impossible for many sub-postmasters to balance their books. On paper, it seemed as though the Post Office was being robbed – on a huge scale – by its own franchise holders.

Sub-postmasters reported the problem to the Post Office but, as we now know, the Post Office was aware from the outset that Horizon itself was the likely cause of the discrepancies in the branch accounts.

Nevertheless, the Post Office hid this information from the sub-postmasters and their defence lawyers. About 700 sub-postmasters were convicted of theft and false accounting, and some were even imprisoned, in what has been called the ‘biggest miscarriage of justice in UK history’.

RFPs as part of transparency and accountability

In this case, it seems there was an absence of a proper selection and screening, or “request for proposal” (RFP), plan. As we’ll see, even the best RFP process may not have saved the sub-postmasters. But as part of wider due diligence, any organisation’s effective RFP process will be designed to:

  • encourage competition;
  • weed out conflicts of interest by ensuring that bidders are truly independent of the organisation issuing the RFP;
  • enable a genuine, informed choice of provider; and
  • assess any risks that the provider may pose to the organisation (‘third-party risk management,’ or TPRM).

For all of these reasons, RFPs are – or should be – a key part of government procurement. They are important for combatting corruption and cronyism by creating transparency in the public sector, and in ensuring that government money is being spent effectively.

Why is the Post Office reliant on Fujitsu?

The very short answer would seem to be that there was no apparent link between government procurement processes and due diligence processes. Over time, Fujitsu simply wove itself so thoroughly into the Post Office’s day-to-day running that it came to be seen as the only choice, not necessarily the best one.

The slightly longer answer lies way back in the 1970s, when the UK government formed International Computers Ltd (ICL). ICL became the default supplier of hardware and software to most government departments, nationalised utility boards, and public sector services (including the Post Office).

Spotting an opportunity, Fujitsu began acquiring shares in ICL in the 1980s. By the turn of the century, Fujitsu owned ICL outright and ICL as a brand disappeared. Those lucrative UK government contracts, however, remained with Fujitsu.

Fujitsu – supplier vs indispensable partner

ICL’s origins and the systems it had deeply embedded throughout the UK’s entire IT infrastructure meant that Fujitsu, its new owner, was often the only bidder for the government’s IT contracts.

The reasons for this are not hard to glean. Fujitsu is dealing with proprietary legacy tech that it alone has knowledge of, and dismantling it and starting over will be hugely expensive and logistically difficult.

In fact, the Post Office had planned to migrate its accounting services to the cloud. But, in April 2023, even as the public inquiry continued, Fujitsu was awarded a £16.5m extension on its Post Office contract because the cloud migration struck ‘fundamental issues’ that would significantly delay the project.

Meanwhile, sub-postmasters continue to report defects in their Fujitsu-supplied software.

A hard lesson

The problem, then, is not that the Post Office is unaware of the risks it’s running by engaging with Fujitsu.

Instead, the Post Office saga is an extreme example of what can happen to real people when large organisations forge ahead with projects without proper due diligence, RFP, or TPRM processes. Too often, RFP responses do not allow organisations to make side-by-side comparisons of bidders, leading to unnecessary risk exposure and less than satisfactory outcomes – even if they are not as extreme as the failings in the Post Office scandal.

How we can help

We can help you to structure and organise your RFP process so that you can make considered, informed decisions and find the suppliers that best meet your needs. We offer an extensive library of customisable questionnaires to complement our automated RFP service, ensuring that your third-party relationships are properly managed from the start.

We combine that with our award-winning technology to provide our clients with continuous monitoring of their third-party risk, from onboarding to offboarding.

Talk to one of our experts, or request a demonstration of how Orbit Risk can help your organisation to get the most out of its next RFP.


Contact an expert

Robert Smith

Robert Smith

Head of SaaS Sales and Customer Success 

Sarah Nelson

Sarah Nelson

Senior SaaS Sales Executive | SaaS sales