In May 2014, we published the ‘Guide to Integrated Assurance'. At the time integrated assurance was a hot topic, with many organisations struggling to cope with ever increasing demands for assurance in and around its projects. “We’re being assured to death!” was a common cry.
It’s all gone quiet recently, though. There are still the perennial questions about assurance, such as what role Internal Audit should have in assuring projects, and when does a ‘review’ become an ‘audit’; and newer questions about how to effectively assure Agile projects [see our ‘Guide to Assurance of Agile delivery’ published last year]; but has the challenge of integrating assurance activities been cracked?
I think not.
What has changed, I think, is that organisations now recognise much better the need to actively manage their assurance environments, but from what I see, they have not made that much progress in doing so. Why? Because its difficult.
At this point, it may be useful to refresh our memories about what ‘integrated assurance’ is.
The BoK 6 definition is:
"The coordination of assurance activities where there are a number of assurance providers."
But there's actually a lot more to it than mere coordination. And even to achieve coordination requires common principles to be complied with.
Rather than fill this blog with details about what integrated assurance is, perhaps you'd like to watch a few videos that I recorded recently with The PM Channel, here.
I think it is time to get people talking about this again. I don’t mean just going over the same ground (avoiding conflicts, minimising distractions and inefficiencies, not getting a full picture, etc.). I mean that we need to be thinking about how we develop our previous thinking on the topic to address why it's so difficult to implement, and how can we extract even greater value from it.
I sense that some organisations have tinkered with their assurance arrangements a bit, partially applied the three-lines-of-defence model, and tried a bit of assurance mapping, and think that that’s about it. But are they really getting that much additional value from their assurance functions than they were? Are their assurance interventions really that much better? Is their Audit Committee now getting a truly integrated and comprehensive view of assurance outputs?
Of course, you can get some value out of any degree of integrating assurance, but to get real value needs a lot of thought and effort, and maybe even cultural and organisational changes. Is there sufficient appetite for that?
How can we help?
I think there needs to be a new imperative. A new dimension that makes people think: “Oh! I never thought integrated assurance could help us like that!”.
One possibility is the concept of ‘progressive assurance’, in which assurance is provided progressively through the life of a project. For progressive assurance to work well, there has to be a degree of assurance integration – and the more integration the better. I am finding a growing interest in progressive assurance.
Perhaps you have some other ideas?
The Assurance SIG is looking to restart its ‘Integrated Assurance’ workstream shortly. If you’d like to be involved in this, please let me know.
Chair of APM Assurance SIG