Laying the foundations for better local public services
Priorities at each phase of reorganisation
Local government reorganisation (LGR) rarely follows a neat sequence. Political decisions, legal milestones and operational pressures overlap. Digital, data, technology and cyber work must respond to this.
Reorganisation also looks different depending on whether councils are:
coming together into a new unitary
splitting apart into more than one
doing a combination of both
The phases below apply to these scenarios but the priorities within each phase will vary depending on the direction of change.
Cyber risk does not remain static during LGR. It typically increases during periods of change, especially when there is:
structural change, particularly where there is media interest
changes to processes and staff, and wider system access
the introduction of transitional architectures
LGR also offers councils the opportunity to fix longer-term cyber challenges which may have been delayed due to complexity or disruption, such as changes to network architecture.
This resource sets out common phases councils that have been through LGR have experienced. It is not a mandated timeline and does not replace the wider LGR programme structure. It provides advisory, evidence-based guidance to help you assess where you are, what you should prioritise and what may be too early.
Use this resource to assess your position. The most common delivery risks in LGR come from:
attempting transformation before stabilisation
reducing cost before reducing duplication
letting the loudest supplier or easiest option set the direction before you understand your systems landscape
There’s a real danger that councils could be pushed into selecting systems for the new council that aren’t necessarily the best option. When you’re trying to bring several organisations together quickly, the loudest supplier or the easiest option can start to dominate the conversation. That’s why it’s important to step back and look at the systems landscape at a high level before committing to a direction.
Council Head of Digital Services
Choosing between aggregation, disaggregation or both
Most LGR conversations focus on aggregation. This means combining councils, systems, data and contracts into a smaller number of larger unitaries. In practice, many reorganisations also involve disaggregation. This includes splitting shared services, separating data, dividing contracts and unwinding joint arrangements. This is common where two new councils are formed from one predecessor, or where a shared service is no longer the right model.
Throughout this resource, we highlight where activities differ and set out disaggregation-specific considerations. The main text applies where the activity is broadly the same.
If your LGR involves both, be clear about which way each service or system is moving. Some will aggregate, such as finance, payroll and identity. Others will disaggregate, such as services shared with a council not joining you, or a county service being split across new unitaries.
Mapping these changes early helps to avoid contradictory plans and unrealistic timelines.
One of my lessons is that we should have spent more time finding common ground and understanding each other’s motivations rather than focusing on our differences. It’s a real opportunity to rethink how you deliver services and drive transformation for your local area. There’s huge potential, but you have to be pragmatic and realistic about the timescales – and stay focused on improving outcomes for residents, even when the process feels challenging.
Kate Hurr, Assistant Director for Digital and ICT, Cumberland Council
How to use this guidance
Use this guidance to:
identify which phase your services or domains are in
check whether current priorities align with that phase
challenge activity that may be premature or mis-sequenced
explain sequencing decisions to senior leaders, members and partners
This guidance:
sits alongside the wider LGR programme structure rather than replacing it
focuses specifically on digital, data, technology and cyber
recognises that phases overlap, run in parallel, and are not always linear
supports proportionate decision-making at every scale
Different services may sit in different phases at the same time. For example, payroll may be converged while planning systems remain fragmented. Or one shared service may be aggregating while another is disaggregating. This is normal. The aim is align your approach, not to follow a rigid sequence.
Typical digital and cyber phases in LGR
LGR prioritisation and planning workbook template
Use our workbook alongside this guidance to structure your planning and decision-making. It will help you:
map activities against phases
document key decisions and assumptions, including whether each domain is aggregating or disaggregating
prioritise initiatives based on risk and timing
identify early warning signs when programmes may be moving too quickly
Digital and cyber leaders should prioritise building relationships and improving visibility across councils before decisions are confirmed.
Early collaboration is not just a technical exercise. Councils that build shared ownership and trust at the start make faster, more sustainable progress in later phases. The risk in this phase is focusing on differences and protecting existing investments. Councils that progress best identify shared goals early and avoid a ‘winning and losing’ narrative.
In practice, this includes:
establishing cross-council digital and cyber networks
co-designing shared values, principles and architecture, rather than applying one council’s approach
putting residents and local businesses at the centre of discussions
demonstrating collaborative and transparent leadership
beginning informal system and contract mapping
identifying fragile or unsupported systems
surfacing major supplier dependencies
aligning information governance policies and data standards, for example, how address, postcode or person records are formatted, to support future migration and sharing
agreeing broad design principles rather than specific platforms
Avoid selecting future systems or attempting integration at this stage.
The same mapping discipline applies where a service is likely to split. You will also have to plan how to separate data, contracts and people cleanly.
Identify joint or shared services with neighbouring councils that will not continue in the same way after vesting day.
Start identifying datasets that will need to be split by postcode or service area. Check the quality of this addressing data early.
Informal data sharing and exploratory access between councils increases risk. Temporary access arrangements should be logged and monitored.
You should also seek early visibility of cyber risks and vulnerabilities across the organisations involved, including:
known weaknesses in critical systems
incomplete security controls
areas where assurance is limited
Use this to inform what you prioritise before day one.
At the start, I was optimistic – but reality caught up quickly. You physically can’t smash eight organisations together overnight. We had to slow down, sequence properly and be honest with senior leaders about what was achievable. Consolidate first, then transform. Once you bring people together around something concrete, you have real options.
Madeline Hoskin, Assistant Director for Technology, North Yorkshire Council
Major systems, contracts and risks are visible across the partnership
Design principles are agreed
Working relationships are established
Phase 2: Decision confirmed and shadow authority
Once reorganisation is confirmed, clarity becomes critical. This phase usually involves two overlapping strands of work:
defining the new council’s scope for day one
setting up the shadow authority
Both need attention. Both will compete for senior officer time while new appointments are being made, and predecessor councils are still operating.
Framing the day one objective as a minimum viable council helps maintain focus on safe, legal and operational delivery. This reduces the risk of overplanning while still allowing for smaller, practical transformations.
Decisions cannot be paused during the shadow period. Contracts will continue to expire, services must run, and predecessor councils remain legally responsible until vesting day. The focus is on how to make decisions, and ensuring they are lawful, proportionate, and do not constrain the new council.
Day one scope priorities typically include:
agreeing the digital and cyber scope
embedding digital, data and technology (DDaT) and cyber governance within the LGR programme, including clear decision-making, risk ownership and escalation routes
agreeing a DDaT target operating model, including helpdesk and IT service management consolidation, reporting lines, and how IT services will run
confirming domain and identity strategy
mapping contract renewal cliffs
aligning cyber monitoring and resilience planning
aligning information governance and data standards across councils, building on the work started in phase one
Setting up a shadow website to publish shadow committee meetings, agendas and minutes
Supporting recruitment of the new council’s first senior officers, including identities, devices and access
Defining decision-making rights early, including what the shadow authority can decide and what remains with predecessor councils until vesting day
Defining clear roles and responsibilities in the event of a cyber incident, so it is clear who responds and makes decisions
Maintaining a clear focus on resident outcomes and agreed design principles to avoid defaulting pressure to any single council’s preferences
Identifying key day one cyber risks for the shadow authority, including identity and access risks, temporary or shared architecture risks, phishing and suspicious activity reporting, supplier or hosting dependencies and incident response responsibilities
Agreeing proportionate mitigations, owners and escalation routes before vesting day
Avoid committing to full convergence at this stage.
Define the future support model, including how staff moving to new unitaries will continue to access the back-office systems they need on day one, and which team will provide support.
Identify which contracts will need to be split, transferred or re-procured, and which datasets need to be separated before vesting day.
Plan for joint working arrangements where two new unitaries are being created from one predecessor, recognising that these may continue for months or years after vesting day.
Plan inter-authority agreements (IAAs) for any hosted or shared services, setting out responsibilities, governance, financial arrangements and dispute resolution between the new councils. Insufficiently detailed IAAs have been a source of risk in previous reorganisations.
Planning for shared identity, federated access or dual networks increases attack surface
Before expanding connectivity, review multi-factor authentication (MFA) coverage, privileged access and monitoring
Like most councils, we’re already operating with very lean technology teams. At the same time, we’re being asked to deliver a major organisational change while keeping all existing services running. That makes prioritisation really important, because we simply don’t have the capacity to do everything at once. Clear guidance on what to focus on first would make a huge difference.
Council Head of IT Applications
One of the risks is that people assume the IT side will just work on day one. Systems only work if someone has identified everything in advance and done the work to make sure it’s ready. If that visibility isn’t there early enough, it’s very easy for things to get overlooked because everyone assumes the technology will simply carry on as it always has.
Council Transformation Lead
Defined day one scope
Established shadow authority operating arrangements
Decision-making rights are clearly defined, governed and understood across the programme
Phase 3: Final 90 days before vesting
As vesting day approaches, stability takes priority. This phase is about rehearsal, not redesign.
Typical activities include:
freezing non-essential change
confirming a single website entry point for users
planning customer portal transitions and CRM continuity, so the resident experience isn’t fragmented on day one
testing payroll and statutory systems
validating identity and access controls
rehearsing incident and escalation plans
confirming day one support arrangements, so staff and residents know how to contact ICT, and ICT teams are resourced for a spike in calls around identity, access and login issues
making sure staff know how to report suspicious activity, including phishing, unusual login prompts and other signs of compromise, and testing the reporting routes before day one
Introducing new transformation initiatives at this stage increases the likelihood of service disruption.
If your council is disaggregating, confirm:
data splits, often based on postcode, are complete and validated before vesting day – late changes are costly and risky
interim data-sharing and access arrangements are in place for services continuing jointly after vesting day
roles and responsibilities for security processes are defined for temporary or shared architectures, including who is responsible for patching, scanning and access management
Temporary architectures, such as dual tenancies or mixed cloud and on-premise arrangements, increase risk. Cyber leads should ensure these are documented, actively managed and regularly reviewed, with clear ownership for patching, monitoring, access control and exit.
Core systems tested under realistic conditions
Support arrangements are in place
Customer-facing continuity has been rehearsed
Phase 4: Vesting and first 100 days
Vesting day is a milestone, not an endpoint. Use the first 100 days to review operational experience and reset priorities, rather than declaring stability and moving on. Some services will stabilise quickly. Others, including those still running on parallel infrastructure or in shared arrangements, will take longer.
Typical activities include:
reviewing temporary arrangements
refreshing baselines based on operational reality
reassessing supplier exposure
identifying realistic convergence candidates
updating the roadmap based on what is known now, rather than what was planned in shadow
Parallel running, extended licences and temporary consultancy costs are normal at this stage. They often continue beyond 100 days and into year one and beyond. Attempting to reduce cost before reducing duplication increases risk. The pressure to show savings begins in this phase and grows through years two and three.
Phase four also reveals the consequences of decisions delayed earlier in the programme. Councils that postponed contract or system decisions during shadow often see an increase in commercial and technical activity in the first 12 to 18 months after vesting day. Where knowledge is held by individuals rather than documented, gaps can emerge quickly as staff move on. These issues, often caused by missing decisions, poor data or undocumented arrangements, are easier to manage when anticipated and harder to resolve once they emerge.
Joint working arrangements with neighbouring new councils often continue beyond day one. Decide which of these will be permanent, transitional or expiring. Avoid situations where systems are not maintained and security is neglected because responsibility is unclear.
The legacy councils’ networks should only be connected if you are confident they are not compromised or threaten each other. Instead of fully decommissioning separate networks and systems, consider repurposing them to support network segmentation or segregation.
Identify where data, contracts or supplier relationships remain partly shared and need active management.
Monitoring and incident response is important in this phase due to new identity domains, heightened phishing risk and increased public visibility.
Services stabilising
Risks understood
Temporary arrangements actively managed rather than drifting
An early convergence plan is agreed
You progress through this phase than leave it cleanly.
Phase 5: Year one and beyond – convergence and ongoing divergence
Year one convergence should be targeted and proportionate. Full integration can overwhelm teams and suppliers, and convergence work often continues beyond the first year. Disaggregation activity started before vesting is also likely to continue. Separating data, contracts and supplier relationships does not end at day one.
Councils typically focus on:
aligning systems as contracts expire, and making decisions where they don’t – sunk-cost choices are unavoidable, and contracts will not always align neatly
consolidating enterprise licence, including Microsoft 365 tenancy decisions and other large licensing events
reducing high-cost duplication
simplifying where policy is aligned
strengthening shared platforms incrementally
completing disaggregation activity started before vesting, including separating supplier arrangements, continuing data splits and unwinding joint services that are not part of the long-term model
Decisions about shared services that won’t continue, and how to wind them down without disrupting residents, are most significant in the first year.
Where two new councils inherited the same supplier under a single contract, expect complex negotiations about transfer, splitting or replacement.
System consolidation often involves data migration and integration changes. Do not reduce the time and rigour for data protection impact assessments or secure migration planning to meet financial targets.
Savings at this stage are usually operational efficiencies rather than immediate financial reductions. Pressure to deliver savings typically increases in years two and three, which should inform planning in this phase.
Duplication has reduced in priority areas
Disaggregation activity is being completed where required
Convergence is being delivered in a controlled and sustainable way
Phase 6: Years two to three consolidation and redesign
Once foundations are stable, councils can:
retire legacy systems
reduce integration complexity
complete the data quality work started earlier in the programme
The early data work, such as postcode and address quality and information governance alignment, should be complete by this stage. This phase is where broader data improvement and service redesign become realistic.
This phase enables meaningful service redesign.
Decommissioning legacy systems can expose weaknesses in historical data handling. Manage archiving and deletion processes carefully.
Temporary arrangements should not become permanent through inertia.
Platforms are rationalised
Data is more reliable
Measurable service improvements
Ongoing activities
Across all phases, several activities must continue.
Operational resilience
Cyber monitoring and improvement, including Cyber Assessment Framework (CAF) for local government progression
Supplier and contract risk management
Workforce capability protection
Preparing the helpdesk for increased demand around vesting day and convergence events
Programme discipline
Governance, decision logging and risk management, including cyber
Communications with staff and residents
Maintaining information governance and data standards established early in the programme
Data quality improvement, especially postcode and address data, which underpins disaggregation
These do not pause between phases.
Signs you may be moving too fast
These signals often appear before major delivery issues become visible.
Risk increases when:
savings are announced before duplication is reduced
integration decisions are not aligned with policy
cyber incidents increase during structural change
staff attrition increases significantly
governance processes are bypassed
decisions reflect organisational positions rather than shared outcomes
shadow IT emerges, with services procuring or building their own solutions because central teams are stretched
Recognising these signs early allows leaders to pause and recalibrate.
Minimum, moderate and maximum ambition
Councils differ in scale and capacity. For each phase, consider:
minimum – actions needed to remain safe and legal
moderate – actions that enable smoother convergence or cleaner disaggregation
maximum – ambitious steps toward redesign
This approach supports proportionate decision-making without increasing risk. It also helps leaders assess what level of ambition is realistic for their capacity and be clear when constraints change.