More understanding of assurance is needed among project professionals, PMOs and audit professionals to reduce the number of project failures.
Roy Millard, owner at P3 Risk & Assurance and founder and former chair of APM’s Assurance SIG, says that, despite a widespread acknowledgement within the industry of how good assurance should be structured, it is often let down by poor behaviours.
“I often get asked why, with so much assurance around, failures still happen. Well, even the best assurance framework is only as strong as the commitment behind it. Take Crossrail. I understand management stopped believing that they needed assurance. As soon as it unravelled, things such as budget and timelines started to go wrong. The behaviours behind the assurance changed.”
Millard believes assurance is a core competence that can be supported with associated training and qualifications.
“Project managers have a crucial role to play in assurance because they use the systems and processes which provide and build confidence in successful delivery. But many are so fixated with what they are doing day to day that they don’t think about it.
“Assurance should be another element of being a good project manager alongside governance and risk management.”
What exactly is good assurance in projects?
Essentially, assurance is done to ensure that a project is on track. A key part of the assurance process is the conduct of reviews, whether on specific elements or on the entirety of a programme or project, and the use of audits.
Good assurance comes in many shapes and guises, including, according to the SIG: quality assurance, safety audits, gateway reviews, independent engineer reviews, internal audits, project audits, contract audits, external audits, peer reviews and control self-assurance.
“All assurance should be risk-based. The purpose of it is to give confidence that the risks are being adequately managed,” Millard explains. “One of the issues is that assurance means so many different things to so many people. Some see it as an independent intrusive review or don’t understand that an audit is part of assurance.”
Assurance is built around the ‘Three Lines of Defence’ model. The first line is the project professionals who are responsible for identifying and managing risk as part of their accountability for achieving project objectives. The second line provides the polices, frameworks, standards and processes to support project professionals to manage risk and compliance. This also includes monitoring to assess how effectively project professionals are doing it.
The third line is internal audits, delivered by people outside of the first two lines, advising how things could be improved. They report to the board or audit committee and can provide assurance to sector regulators and external auditors.
“Assurance should follow the risks from cradle to grave in a project,” Millard explains. “And again, there is no point doing it unless someone acts on the advice.”
As such, Millard is set to start training PMOs in assurance best practice next year given their pivotal role in ensuring that projects are delivered successfully.
“Audit committees tend to be more focused on operational issues than projects. Outside of project assurance, they don’t necessarily know very much about how projects work,” Millard says. “They don’t understand the risk, so PMOs can be good sellers. They can champion how assurance will work around projects in an organisation and ensure that all reviews and audits are integrated and communicated effectively.”
‘Hide the faults!’
Mike Wild, senior programme manager at TSYS, is concerned that the relationship between auditors and project professionals is strained.
“If an audit is not brought in the right way, then project managers can get sensitive. It is a case of ‘Oh no, the auditors are here. Hide all the areas I know are at fault!’ It can be a game,” he says. “The audit team may not have the experience the project manager has and may come up with glib comments picked up from a textbook.”
Wild would rather see the creation of project support professionals working with junior managers.
“They would be experienced mentors, offering guidance,” he says. “They would not be there to find fault, only help projects be more efficient. They have the experience and credibility the audit team often lacks. I can see this going forward, but it is hard for some organisations to grasp. They may see it as an extra cost, but I’d be interested to hear peoples’ thoughts. Assurance should be feeding in the knowledge and experience all the way through.”
Wild is concerned that auditors are often brought in after the horse has bolted and stakeholders become worried about a project’s viability.
Nick Dobson, principal consultant at CITI agrees that assurance must be more proactive earlier in a project.
“There is no point bringing an audit team in post-fact, as that is an expensive process. You need to address measures before a project starts. That is quality assurance,” he says.
“What can we do to ensure that this process will run correctly? You look at the inputs and ensure you have suitably qualified and experienced personnel engaged and the right design processes. The more you refine the inputs the more certain your output becomes. Don’t lump assurance with audit together. That way it becomes a post-fact inspection function.”
Dobson says such a process can even play a part in employing project professionals.
“Project managers are a de-facto assurance function,” he adds. “It means not hiring sociopathic project managers if it is a project where there is a lot of interaction with stakeholders. If it is a more technically focused project, then you are better off with a sociopath with that specialist knowledge. You can take assurance as far as you like.”
You may also be interested in: