Project Assurance - 3 Lines of Defence
3 Lines of Defence
Richard Mulder explains how to ease Post-Covid panic through Project Assurance.
The corona virus pandemic has reset the ‘norms of life’ button. The term ‘new normal’ has become mainstream as societies grapple with social adjustments and survival economics.
Globally, efforts are being made to build resilience at every level of society (in healthcare, governance, socio-economic support, educational continuity, and togetherness management). Naturally, the focus of these efforts is two-pronged:
(1) containment of the current crisis, and
(2) planning future social and economic security once the intensity of the pandemic subsides.
For business to recover, a stimulus and investment into larger scale projects will need to be a priority! It’s unlikely that businesses will have the appetite to throw large amounts of capital at projects just on return. It is now more critical than ever that there will be fundamental considerations that will need to provide confidence and assurance to decision-makers on the vulnerability, exposure and assurance of project success. Decision-makers will need:
- a willingness to recalibrate and adapt based on what has been learned
- reiterative de-risking projects and capturing emerging risks
- to ensure readiness for project success through critical analysis
This is where Project Assurance comes into the equation
For the uninitiated, Project Assurance is the process of critically assessing the health and viability of a project (at the risk of over-simplifying it, think of it as an audit function). The independent assessment involves steps that confirm the project complies with regulatory/internal / investment standards and provides comfort to decision makers and senior users that their project is set up for success.
Normally carried out by an external agency, the review is objective, and this helps to identify strengths, weaknesses and opportunities that might be missed by those so intimately involved with the business.
In its complete form, Project Assurance should provide three lines of defence:
- Line 1: Project team conducts day to day monitoring, control and risk review.
- Line 2: Management - Specialist functions that oversee risk
- Line 3: Independent assurance outside the project team and manager, either internal or external
These lines of defence typically focus on risk, or de-risking the project across the various project disciplines.
Line 1 - Project Team:
Most projects implement Line 1 defence with a well disciplined approach to project management. A project team will, as part of routine review risk registers, schedule, cost, engineering requirements and compliance, quality, health and safety. Line 1 defence is not earth-shatteringly new.
Line 1 defence should include project team and line management around activities that would:
- Identify and manage the risk that the organisation faces in its day to day business
- Implement controls and supplement minimum standards relating to the risks they are accountable for
- Verify the effectiveness of the controls for the risks they are accountable for
Line 2 - Management - Specialist Functions That Oversee Risk:
Where a lot of organisations either lack the capacity and expertise, is providing the project team with line 2 defence support. This is where an external Project Assurance specialist brings value.
Line 2 defence is incumbent upon management and specialists within specific disciplines to provide guidance, mentoring and accountability to the project team.
- Provide the process, coaching and tools to facilitate risk identification and agile management
- Define minimum standards / processes to manage project risk
- Objectively validate first line defence activities and underlying controls to improve processes and assure that risks are being managed
Line 3 – Independent Assurance Outside Project Team and Manager:
Line 3 defences essentially bring the checks and balances together and articulate to the executive leadership teams where the business is exposed and the adequacy of current risk controls.
- Perform internal / external Audits on the effectiveness of processes and controls within 1st and 2nd line of defence to manage project risk
- Assure executives, on the overall adequacy of the control environment
- Leverage an enterprise wide view to actively contribute to the organisation in terms of ongoing learning.
Now that we understand what a Project Assurance Review is and the focus, there are some critical aspects to implement to get the best possible value with the following 7 critical factors:
Now is an opportune time to ramp up preparations and ensure absolute readiness to hit the ground running with new projects when restrictions ease.
The next article in the series that will expand on the critical steps vital for project assurance success.
We welcome your feedback on these critical points of interest.