The value of programme and project assurance can be described as the process of checking that a programme or project makes the right commitments to the business and then delivers on those commitments. Assurance provides an independent, confidential, objective view of programme/project delivery with the goal of identifying potential risks before they become major issues. When deployed at the right time, by the right people, using the right methods, assurance gives confidence to the senior responsible owner/project executive that the right decisions are being made, and that outputs and capabilities are fit for purpose and are being delivered on time and to budget.
Assurance is defined as all the systematic actions necessary to provide confidence that the target (system, process, organisation, programme, project, outcome, benefit, capability, product output, deliverable) is appropriate. Appropriateness might be defined subjectively or objectively in different circumstances. The implication is that assurance will have a level of independence from that which is being assured.
What is the purpose of assurance?
The focus of assurance changes throughout the programme/project lifecycle, but its underlying purpose is to determine whether programmes/projects are delivering on their objectives at each phase/stage ,are compliant with risk management controls, and suggesting remedial steps where necessary. There is a clear link between the declining ability to influence the cost (and design) of a programme/project, and the increasing maturity of the programme/project in the lifecycle phase/stage – especially the importance of getting decisions right the first time and taking corrective action early. Where there is insufficient upfront planning, or change is not managed effectively, programme/project spend on rework unnecessarily grows quickly.
While assurance is important in every phase/stage of the programme/project lifecycle, there is a need for assurance activities to support successful delivery. It is in the early phase/stage of the programme/project lifecycle (pre-selection of concept) that the high value, high risk decisions are being made, and therefore that is when assurance can be of most benefit in helping make sure that these are the right decisions. In the later stages of the programme/project lifecycle, decisions are made within tighter boundaries, and the scope of assurance is focused on execution, change management, performance monitoring and operational readiness.
Why do assurance?
For a senior responsible owner (SRO) project executive, the value of undertaking an assurance process is to:
- Improve confidence that the programme/project is ready to progress to the next key decision point.
- Enable informed decision-making and judgement.
- Promote the conditions for success and deliver improved outcomes and benefits earlier.
- Improve transparency and visibility of programme/project performance at a point in time.
- Promote continual improvement in terms of product delivery, e.g. fit-for-purpose outputs and capabilities
- Enable portfolio, programme and project management and capability maturity improvements through the adoption of lessons learned.
What are the lines of defence?
Within programme and project delivery, there are four levels of defence to provide the senior responsible owner/project executive with confidence that the project is performing relative to its objectives and any relevant policies and standards. Each level is distinguished by an increasing level of independence from the initiative, with independent assurance critical to ensuring that internal conflicts between risk and value are appropriately managed and major decisions impacting value are controlled.
- The first layer of defence are the controls for time, cost, quality, benefits, scope and risk tolerances that are in place to mitigate and manage the risks facing the programme/project and subject to change control processes that are approved by the programme/project board.
- The second layer of defence is the monitoring controls used to assess the performance of a programme/project. It ensures that the objectives of the programme/project are being met by monitoring and measuring progress regularly to determine variances from agreed plans. When variances are identified, then corrective action can be taken.
- The third layer of defence is the Office of Government Commerce (OGC) gateway assurance process. This occurs at key decision points across the programme and project lifecycle and enables informed decision-making, which reduces the causes of failure, promotes the conditions for success and delivers improved outcomes.
- The last line of defence is the audit. It provides a retrospective and independent examination of the programme/project, where required, to evaluate and improve the effectiveness and efficiency of the organization’s risk management, control and governance processes.
What are the types of assurance?
There are four assurance types that support portfolio, programme and project management:
Project assurance refers to the programme/project board’s responsibility to monitor all aspects of the project’s performance and products independently of the programme/project manager.
Quality assurance is an independent check that products will be fit for purpose and meet requirements. It is the process responsible for ensuring that the quality of a service, process or product will provide its intended value in terms of quality, gateway, investment, technical, security, financial and architecture requirements.
Gateway assurance is a structured review of a project, programme or portfolio as part of formal governance arrangements carried out at key decision points in the lifecycle to ensure that the decision to invest as per the agreed business case and plans remains valid. It is performed by an experienced independent team to enable informed decision-making by identifying potential risks beyond portfolio/programme/project management visibility. Gateway reviews are not an audit, technical review or an inquiry.
Health check is a quality tool that provides a snapshot of the status of a project, programme or the portfolio. The purpose of a health check is to gain an objective assessment of how well the project, programme or portfolio is performing relative to its objectives and any relevant processes or standards. A health check differs from a gated review in that it informs specific actions or capability maturity development plans, whereas a gated review is part of formal governance arrangements.
The global impact of IT failure has been calculated at $3 trillion annually by Gene Kim, co-author of The Visible Ops Handbook and When IT Fails: The Novel; and his colleague, Mike Orzen, the author of Lean IT. Using the Standard & Poor 500 companies, aggregate 2012 revenue is estimated to be $10 trillion. If 5% of aggregate revenue is spent on IT and, conservatively, 20% of that spending creates no value for the end customer – that is $100 billion of waste! The 20% assumption is an extremely conservative number when you consider that they have analysed the value streams across all industries, and discovered that over 80% of the effort creates no value in terms of benefit to the customer.
Hence why assurance is so important, particularly early in the programme/project lifecycle, so informed decisions and judgements can be made at key decision points. If an investment cannot show a clear line of sight between strategic intent and financial and quantifiable benefits, why continue to invest?