Guide to integrated assurance review
Assurance is defined in the APM Body of Knowledge 6th Edition as being the process of providing confidence to stakeholders that projects, programmes and portfolios will achieve their scope, time, cost and quality objectives, and realise their benefits. It is therefore a fundamental component of a good and robust project governance regime, by providing confidence to the board of the organisation and the sponsor that delegated activities are on track to be delivered. Assurance requirements will vary between the stakeholders of a project, and there may be a number of different providers of this assurance. This can lead to uncoordinated assurance activity, with the risks of duplication of effort and gaps in coverage and reporting.
Put simply, integrated assurance involves the bringing together of the various requirements for and sources of assurance for projects, programmes and portfolios, to deliver that assurance in a co-ordinated, systematic and structured manner.
In April 2014 the APM Assurance SIG issued its publication Guide to Integrated Assurance, with the aim of assisting organisations to develop and implement a systematic approach to integrated assurance, linked to overall project and organisational assurance strategies. The purpose of the systematic, strategic approach is to co-ordinate assurance activities to ensure maximum impact and benefit at minimum cost and disruption. The guide is consistent with the APM BOK 6th Edition, and with Directing Change: in particular with principle 9 independent scrutiny of projects; with components PS8 - independent advice for sponsors; PM2 and PM3 the need of the organisations board for assurance; and DR7 independent verification of project information. It also supports Sponsoring Change component SB09 that the sponsor should provide assurance to the board.
The guide notes that assurance resources should be applied where risks are highest. It identifies four dimensions across which integrated assurance can be considered:
Multiple stakeholders, by bringing together their requirements to be provided under a single set of assurance activities
Governance hierarchy, by applying the assurance at the appropriate level in the hierarchy of project, programme or portfolio
Lifecycle stages, recognising that assurance activities will be carried out on a number of occasions throughout the project lifecycle, and should be appropriate to that stage of the lifecycle
Level of independence, which recognises that assurance reports can emanate from a number of sources of varying independence, and can be used to inform a minimised set of additional independent assurance activities.
The target audience for the guide includes those responsible for projects, programmes and portfolios, particularly sponsors; and stakeholders with an interest in the successful delivery of benefits.
The guide sets out six principles of integrated assurance:
Independent and objective view
Accountability, assurance being owned by the sponsor
Planning and coordination, through an integrated assurance strategy and plan
Proportionate, by tailoring and avoiding duplication of effort
Risk-based, assurance effort being agreed with stakeholders
Impact, follow up and escalation by providing a single view of assurance
The guide identifies a number of stakeholders and providers. Stakeholders requiring assurance include public and private bodies and organisations, headed by sponsors; regulators; end users; investors and funders; suppliers; client operational and support functions; and the project management team. Providers of assurance to stakeholders include NAO; internal and external auditors; gated reviewers; functional reviewers e.g. health and safety, environmental and technical; and quality assurance.
The role of the sponsor is emphasised in the guide, as being a single voice in terms of assurance requirements, priorities and, when necessary, change. The sponsor should develop an assurance strategy and plan in the context of risk management, taking account of risk, concerns, resources and the project lifecycle.
Assurance is especially important at key milestones/ decision points during the duration of a project, and at other times to assess whether processes and controls are being operated effectively. The assurance plan should remain active, able to reflect changes in assurance requirements throughout the life of a project.
The guide also sets out a recommended approach to the implementation of integrated assurance, by consultation with all stakeholders; identification of risk; agreement of reporting requirements and assurance levels; agreement of escalation routes; approvals; and selection of assurance providers.
Recorded barriers to the introduction of integrated assurance appear to recognise the common causes of project failure listed in Directing Change, such as lack of ownership or misalignment of interests. The guide records examples of good practice, for example that the sponsor should have a clear view of the assurance arrangements in place; that assurance being developed from the top down and should be risk based; and that projects should recognise the cost and resource implications of providing integrated assurance.
Responsibilities of the various roles in a project, programme or portfolio in relation to integrated assurance are set out in the guide, which also provides tools in the form of templates, checklists and matrices related to the development and implementation of an approach by an organisation to integrated assurance.
The UK Governments Major Projects Authority has published guidance on Integrated Assurance (2012), with which the APM guide is consistent, and there are examples of other organisations and professional bodies which have accepted that an integrated approach can lead to more effective and efficient provision of assurance.
The Guide to Integrated Assurance offers expert knowledge and interpretation of an important topic, on which there has been limited formal guidance to date. If the guidance is adopted, more effective and economical use of assurance resources is likely to follow.
Peter Deary MAPM