Effective project assurance inspires confidence in stakeholders that objectives are going to be met, enables the identification of early warning indicators and corrective actions to bring projects back on track, and, ultimately, can lead to better decisions in projects. Yet, many organisations are so busy delivering that they neglect the importance of assurance or, as it often happens, do not realise that one size doesn’t fit all. In fact, for organisations with low maturity in their assurance capability and/or when first starting in their assurance journey, it is common to find a lack of proportionality, where all projects are subject to the same controls and assurance requirements. The result: overburden and unhappy teams, bureaucratic processes, and non-value-adding activities. Trust me – too much assurance is as concerning as a lack of assurance. Finding the best fit, the ‘just enough’ balance, is needed. But how to get there? Read on to find out.
What do we mean by proportionality?
Instilling proportionality in assurance is a key principle of integrated assurance (APM’s Guide to Integrated Assurance) and an example of what good assurance looks like. It refers to having an assurance that is reasonably practicable concerning the level of risk evolved. Originally, this idea is linked to the assessment of risk, especially health and safety risks, as described in the Health and Safety at Work Act (1974), which states that controls should be applied to reduce risks to an ALARP (“as low as reasonably possible“) level, that is, the risk must be significant to the sacrifice (in terms of money, time or trouble) required to avert it. Just enough assurance!
How to build proportionality?
Requiring a project health check every quarter for a well-defined, low complexity, and low-budget project expected to run for one year could be overkilling it, however, this could be just right if we are talking about a multi-million pounds project, high-priority, and high-complexity. The level of scrutiny required should be adequate to the characteristics of the projects, which can be grouped by types or tiers. The higher the tier, the higher the level of scrutiny required.
Some drivers and tools you can use to identify your project tiers are:
- Budget size: for many organisations, the budget size on its own is a fundamental criterion, where, the bigger the budget, the more assurance is needed.
Risk vs budget: more mature organisations, will want to also consider the risk profile or level of risk exposure of the project. Risk-based assurance means that different levels of assurance are applied proportionately to a potential risk profile.
- RPA: the Risk Potential Assessment tool, from the IPA, is a well-established tool and does exactly what it says on the tin – it assesses the risk potential of a project using a set of pre-defined questions, that will result in a certain score.
- DECA: similar to the RPA, the Delivery Environment Complexity Analytic, from the NAO, offers a complete and holistic way of assessing the complexity of the project, and, by association, indicates its level of risk.
- Custom tailoring model: other assessment and tailoring models can be used to accommodate the criteria that are valued by your organisation. In the past, for instance, I’ve used a variation of the NTCP (novelty, technology, complexity, pace) model to determine the different project tiers.
How to apply proportionality?
Once the project tiers are identified, they can determine a variety of elements on how to apply proportionality in practice in your assurance framework. Some typical scenarios include:
- Types of assurance reviews: should this project tier involve project audits or just stage gate reviews will be sufficient?
- Assurance frequency: should this tier require quarterly health checks or will annual ones be sufficient?
- Assurance budget: higher tiers (higher risk projects) are likely to require more assurance resources, hence a higher assurance budget too.
- Composition of assurance teams: higher project tiers usually involve higher complexity due to the larger number of areas impacted, often requiring assurance teams with representatives from these areas.
- Trigger for external assurance: higher project tiers require more scrutiny, thus, projects that fall on this tier are likely to receive assurance conducted by independent external parties.
- Assurance reporting format: higher tier projects may require simpler reports – there’s too much complexity on the project already – to enable visibility over the ‘so-what’ impact.
- Assurance audience: projects that are deemed strategic or high risk are likely to be reported to extended audiences and higher in the hierarchy of the organisation, often too to a Risk and Audit Committee.
- Assurance governance: decisions on assurance, including approvals, are expected to be done by different governance bodies depending on the project tier.
All of the above should be outlined in the Integrated Assurance Framework of the organisation and confirmed by the Integrated Assurance and Approvals Plan specific to the project.
If you are just starting in the building of proportionality in assurance, use it as an opportunity to build engagement and to co-create what the end result will look like. Remember: no one destroys what one helps to build!