Integrated Assurance – a problem cracked or in the too-difficult pile?

Save for later


In May 2014, we published the ‘Guide to Integrated Assurance'. At the time integrated assurance was a hot topic, with many organisations struggling to cope with ever increasing demands for assurance in and around its projects. “We’re being assured to death!” was a common cry.

It’s all gone quiet recently, though. There are still the perennial questions about assurance, such as what role Internal Audit should have in assuring projects, and when does a ‘review’ become an ‘audit’; and newer questions about how to effectively assure Agile projects [see our ‘Guide to Assurance of Agile delivery’ published last year]; but has the challenge of integrating assurance activities been cracked?

I think not.

What has changed, I think, is that organisations now recognise much better the need to actively manage their assurance environments, but from what I see, they have not made that much progress in doing so. Why? Because its difficult.

At this point, it may be useful to refresh our memories about what ‘integrated assurance’ is.

The BoK 6 definition is:

"The coordination of assurance activities where there are a number of assurance providers."

But there's actually a lot more to it than mere coordination. And even to achieve coordination requires common principles to be complied with.

Rather than fill this blog with details about what integrated assurance is, perhaps you'd like to watch a few videos that I recorded recently with The PM Channel, here.

I think it is time to get people talking about this again. I don’t mean just going over the same ground (avoiding conflicts, minimising distractions and inefficiencies, not getting a full picture, etc.). I mean that we need to be thinking about how we develop our previous thinking on the topic to address why it's so difficult to implement, and how can we extract even greater value from it.

I sense that some organisations have tinkered with their assurance arrangements a bit, partially applied the three-lines-of-defence model, and tried a bit of assurance mapping, and think that that’s about it. But are they really getting that much additional value from their assurance functions than they were? Are their assurance interventions really that much better? Is their Audit Committee now getting a truly integrated and comprehensive view of assurance outputs?

Of course, you can get some value out of any degree of integrating assurance, but to get real value needs a lot of thought and effort, and maybe even cultural and organisational changes. Is there sufficient appetite for that?

How can we help?

I think there needs to be a new imperative. A new dimension that makes people think: “Oh! I never thought integrated assurance could help us like that!”.

One possibility is the concept of ‘progressive assurance’, in which assurance is provided progressively through the life of a project. For progressive assurance to work well, there has to be a degree of assurance integration – and the more integration the better. I am finding a growing interest in progressive assurance.

Perhaps you have some other ideas?

The Assurance SIG is looking to restart its ‘Integrated Assurance’ workstream shortly. If you’d like to be involved in this, please let me know.

Roy Millard

Chair of APM Assurance SIG

Roy Millard

Posted by Roy Millard on 11th May 2018

About the Author

Until November 2017, I was responsible for the planning and delivery of all internal audits of project and programme management within Transport for London. I joined TfL Internal Audit in September 2002, and have over 34 years of experience of engineering projects in PPP, PFI, partnering, joint venture, consortia and conventional contracting environments, as project engineer, risk manager, project manager and internal audit manager. In particular, I had lead roles within Racal on major defence projects such Bowman and IRIS, and as a senior manager within Thales on the Connect project for London Underground.

I now work as an independent consultant providing advice and support on matters of governance, risk and assurance in project organisations. My business name is P3 Risk & Assurance.

I have an Honours degree and a post-graduate Diploma in Management Studies; am a Fellow of the APM and a full member of the Institution of Engineering and Technology; chair the APM Nominations Panel; have the APMP qualification and have been PRINCE2 and MSP qualified at Practitioner level; and am the founder and Chairman of the Project & Programme Assurance Specific Interest Group.

Comments on this site are moderated. Please allow up to 24 hours for your comment to be published on this site. Thank you for adding your comment.

{{item.AuthorName}} {{item.AuthorName}} says on {{item.DateFormattedString}}:

Join APM

Sign up to the APM Newsletter.