The Vendor Dependency Spiral
£1.25 billion in contracts. Declining leverage with each one.
DHCW manages a vendor portfolio valued at approximately £1.25 billion. Each outsourced capability deepens dependence on the vendor; internal capacity to validate vendor claims atrophies; the next strategic decision is made with less independent technical judgement than the last. Specific contracts (a £20M Kainos framework the Chair admitted he had not looked at; a £226M Microsoft Enterprise Agreement passed in one sentence with no questions) show the pattern at board level.
When a complex programme arises, the path of least resistance is to outsource it. But outsourcing does not build internal capability. Without internal capability, you cannot evaluate vendor performance or negotiate from strength.
What is the Vendor Dependency Spiral at DHCW?
The vendor controls timeline and cost. When the next programme arises, you outsource again – because you still lack the capability you never built. The portfolio grows. The leverage shrinks.
Each outsourced programme reduces the internal skill pool available to assess the next contract, which makes the next contract more likely to be outsourced on worse terms.
How It Manifests at DHCW
DHCW manages a contract portfolio valued at roughly £1.25 billion. For an organisation whose stated purpose is to deliver digital services for NHS Wales, that number is an indictment.
Multiple contracts have undisclosed values – a basic transparency failure that should not be possible in a public body. The RISP radiology supplier is unnamed despite a £47-56M contract value. The Channel 3/Aire Logic NTA contract value has never been publicly disclosed. Promptly Health received £11M with no visible business case.
Sole-bidder contracts have become normalised.
The board approval process is itself part of the problem. The knowledge graph documents 51 distinct instances where DHCW’s board approved spending without substantive scrutiny. A £20M framework agreement with Kainos was approved in circumstances where the Chair later admitted: “I should have looked. I don’t know how these appear on our website as contracts.” A £226M Microsoft Enterprise Agreement passed at the March 2026 board meeting in a single sentence — no questions, no vote. The full business cases for LIMS, LINC, and RISP were all moved into private session under “commercial sensitivity,” removing scrutiny from the public record. When the largest contracts the organisation signs are approved with less attention than a routine policy update, the vendor sets the terms by default.
This spiral is compounded by L7: The Competence Void. Leaders without technology delivery experience cannot evaluate vendor claims – they cannot tell the difference between a vendor delivering real value and a vendor managing upward. They cannot negotiate effectively because they don’t understand what they’re buying. This creates an accountability vacuum that vendors exploit – and rationally should exploit, because there is no counterweight. The incompetence is itself protected by the absence of psychological safety: technical staff who could expose the gap are perceived as threats and are either selected against via L8 or retaliated against via L9.
The Head of Software Engineering role was advertised at Band 8c (£71-82k) – well below market rate for the responsibility. At that salary, you will not attract someone who can build the internal capability to challenge a £1.25 billion vendor portfolio. The role was either designed for an internal candidate or it was never serious. Either way, the spiral continues.
The consequence of this dependency was visible in March 2026, when the PSBA network went down across NHS Wales. O365, EPMA, RISP, radiology — all unavailable simultaneously across every health board. A single shared infrastructure dependency, owned and operated by a single supplier, took the whole digital estate offline. There was no fallback. There could not be: the architecture had not been designed to survive the loss of any of its central vendor relationships. The same dependency dynamic is visible at the DHCW data centre layer: the supplier’s cooling failover failed in July 2024, then failed in near-identical fashion in June 2025, twelve months apart, with no contractual remediation visible between the two incidents (see DHCW Data Centre). Two suppliers; two infrastructure layers; the same exposure to concentrated single-vendor failure modes.
Denmark and Estonia built modern digital health infrastructure with smaller budgets by investing in internal capability and maintaining genuine competitive procurement. Wales has the resources to do the same.
The vendor dependency is a choice, not a constraint.
What would a healthy alternative look like?
Every outsourced programme includes a mandatory knowledge transfer plan and internal capability build. Contract values are published. Vendor performance is assessed independently. Sole-bidder contracts trigger automatic governance review. Internal technical teams retain enough capability to evaluate vendor claims and negotiate from strength.
How does the blueprint break the Vendor Dependency Spiral?
The spiral only unwinds when the default choice flips from “outsource” to “build”. Flip the Model rebuilds internal technical capability as the primary delivery mechanism, with vendors used for bounded specialist work on published terms. As in-house competence rises, the organisation regains the ability to evaluate vendor claims — which is the precondition for every other procurement and contract reform.