P3 assurance is the process of providing confidence to stakeholders that projects, programmes and portfolios will achieve their scope, time, cost and quality objectives, and realise their benefits.
The sponsor is responsible for P3 assurance, which differs from quality assurance in that it is performed within the P3 organisation. It must be independent of those directly involved in the delivery of work. This independence can be achieved in a number of ways including, for example, using individuals external to the delivery team, or merely by regular and formal reporting of agreed information in a manner that cannot be influenced by the delivery team. Assurance makes recommendations but not decisions, although it forms a sound basis upon which decisions are taken.
Assurance will often be risk-based, with the riskiest aspects of the work being subject to the most rigorous assurance processes. In this context, the term ‘risk’ relates to the management environment, rather than the delivery risks that would appear in a P3 risk register.
These risks may, for example, relate to the experience of a project manager, or the ability of the host organisation’s systems to provide the necessary financial data. The risk assessment which drives this assurance needs to take into account contextual and environmental risks, as well as the possibility of unforeseen and emergent risks.
More complex projects, programmes and portfolios typically need a suite of assurance processes. This ensures that all aspects are adequately covered, e.g. security, regulatory compliance, governance processes.
In these environments a number of different assurance providers may be needed, each of which will have their own processes and defined scope designed to meet the needs of one group of stakeholders. It is possible for the total assurance burden to become onerous in these circumstances. This in itself presents a risk of progress being jeopardised by the very process that is supposed to increase confidence in the achievement of the deliverables.
When there are a number of assurance providers, the sponsor must get them to work in a coordinated manner, sharing information where possible and ensuring that all aspects are covered. This approach is known as integrated assurance.
The intended approach to P3 assurance, the resources required and scheduled reviews are all set out in the quality management plan. Since it is the sponsor’s responsibility to ensure that independent project assurance is implemented, the project assurance part of the quality management plan has to be prepared by the sponsor or delegated to someone not involved in delivery.
Assurance will involve reviews and audits but it should not be reduced to a simple inspection of management processes. The resources responsible for assurance should be capable of providing advice, guidance and support in the implementation of governance processes.
Typically, assurance resources will come from the support function, provided that they are independent from the delivery of the project, programme or portfolio. It is the sponsor’s responsibility to use the results of the assurance process to address any failings in the management of the project and instil confidence in the project amongst its stakeholders.
Where the project is part of a programme or portfolio, the assurance reviews and audits will be conducted by the programme or portfolio support function. Where the project is stand-alone, the sponsor must secure resources from outside the project to provide assurance.
Within a programme there are two levels of assurance: assurance of the projects and benefits realisation activities; and assurance of the programme management process.
The programme manager often fulfils the role of sponsor for the component projects and, in this position, has responsibility for project assurance, while remaining independent from programme assurance. This will require the programme sponsor to plan assurance using separate resources for project and programme-level assurance.
At the portfolio level, arrangements within projects and programmes interface with the host organisation’s assurance function. The host organisation will typically have mandated assurance functions. It is usually the responsibility of those in charge of these business-wide functions to ensure that the business has the assurance it needs.
Portfolio assurance needs to flow to the organisation’s board as it provides a critical link between assurance and organisational governance. Usually, the organisation’s audit committee has a general duty for ensuring that the board has the assurance that it needs. The audit committee, therefore, has a key assurance role to play within portfolio management.