Integrated Assurance: Why is it so hard to get right?
by Roy Millard
As a project manager – and previously an engineer – I had long been used to dealing with assurance requirements, but they had generally been just about technical assurance or occasionally checking that I had project finances under control. Risk management was a thing, but nobody in the project world, including me, thought of risk as having much to do with assurance, expect for health, safety and engineering risks.
The idea of assurance being more broadly about overall project success (i.e. meeting all elements of the famous ‘Iron Triangle’ of cost, time and quality) was very new to me. Indeed, it seemed to be very new to just about everyone I spoke to about the subject: colleagues, clients and suppliers.
Today, of course assurance is everywhere in projects; sometimes (maybe often), if not actually to a project’s detriment, it’s certainly not much to its advantage.
This explosion of assurance has led to challenges. On one major public-sector project in the noughties, the Chairman of the organisation delivering the project, told me that one of his greatest concerns was that satisfying the assurance requirements of his many stakeholders would seriously affect the ability to deliver the project.
What he needed, along with every other senior sponsor in organisations delivering large, complex, expensive projects, was an approach to managing all of this required assurance activity in a way that was efficient, satisfied all stakeholders, and didn’t adversely impact upon delivery. Integrated Assurance was born.
Also born at around the same time was the Association for Project Management’s Specific Interest Group (SIG) on Assurance, which I founded with the purpose of helping those responsible for projects to get a grip on this new component of project management.
Working closely with the Major Projects Authority (successor of the Office of Government Commerce, and predecessor of the Infrastructure & Projects Authority), who were also struggling with the headache of everyone wanting to assure projects, the SIG developed its ‘Guide to Integrated Assurance’. This, for the first time, gave organisations guidance on how to implement an Integrated Assurance approach for their projects.
Despite the popularity of this guidance, the imperative of getting assurance right, a litany of high-profile project ‘difficulties’ (I won’t use the word ‘failures’) that assurance should have prevented, I believe that very few organisations could claim that they have actually completed a successful Integrated Assurance implementation.
Why not? The things that assurance assures can be complex, but assurance isn’t. The principles of good assurance and Integrated Assurance are not difficult to understand.
So, why is getting Integrated Assurance right so hard?
Three typical barriers. There are more, but these are my top three.
In a world where even the term ‘assurance’ can mean different things to different people, it’s not surprising that there’s often confusion about what Integrated Assurance is. Assurance can be passive or active; retrospective or forward-looking; partially or fully separate from the activities being assured; include or exclude audit; point-of-time or continuous; background or intrusive. Assurance can be all of those things, but people often have particular strongly-held views that differ.
2. You can’t agree how to integrate when you cannot agree what to integrate.
Even when there is agreement on what’s in scope, the term ‘Integrated’ can cause disagreement. It does not just mean ‘coordination’ of activities. Integration means joint planning, sharing of assurance information, common assumptions, consistent terminology, and many other things. Trying to integrate without allowing for all of these aspects is not going to be very successful. Assurance providers are very familiar with the purpose of assurance, and its processes. However, customers of assurance – those who need the assurance to influence their decision-making – are typically not. At best, for them assurance is a bit of a mystery and a necessary evil; at worst they seriously question it. The benefits of a more integrated approach is therefore lost to them. When the customer is not asking for something, why give it to him?
3. Good assurance needs to work closely with risk management and governance, and they all need to inform each other; weakness in one leads to weakness in the others.
This is another fact that is not well-understood. So, tackling just assurance arrangements yields fewer benefits – if any – because the other two do not support those benefits.
As I have already said, assurance providers typically understand very well what assurance is, what the processes are, and why they are doing it. However, all of that is from their own point of view as a particular provider within a particular part of the organisation.
There is almost always resistance to changing how they work to accommodate the different practices of other providers. Their priorities are to address the particular activities they are responsible for assuring (be that health & safety, quality, commercial, etc.), and satisfying their bosses in the organisation. Their job description will say nothing about having to work within an integrated framework.
Assurance integration therefore requires organisational change, to make interests align.
Even when there is a general recognition that assurance provision needs to be improved, and that adopting Integrated Assurance is the way to go, there is not always an obvious owner for the implementation and/or resultant framework.
True Integrated Assurance covers all aspects of an organisation’s activities. It is not possible to merely implement it for projects, as it needs to interface with BAU, and many assurance functions cover both projects and BAU.
The eventual owner needs to properly understand what Integrated Assurance is; be readily accepted as the owner; and have the appropriate passion, authority and influence to make it work.
Finding the right individual is critical. Without strong leadership, necessary changes in ways of working will not be effective, and the old status quo will return.
The amount of information produced by assurance can be prodigious. The opportunity for it to conflict and confuse is great. The owner needs to be able to ensure that all of the information can be distilled down to straightforward and unambiguous conclusions, without compromising the underlying messages.
Three things that I have learned
Again, there are more, but these are my top three.
1. Top-level commitment is essential
The scale of the organisational changes typically needed; the need to challenge entrenched behaviours; the need for senior authority to operate an organisation-wide framework; and the likely changes in organisational culture, all require a commitment to implement Integrated Assurance at the highest level.
Ideally, implementation will be sponsored by a Board Chair or by an Audit Committee. It should be seen as a vital requirement for the Board to meet its corporate governance obligations.
2. One step at a time
Albeit with a future blueprint for a full framework in mind, implementation should be done over a number of stages. One reason for this is that existing assurance needs to continue as usual. An interruption to existing assurance could have serious implications. Assurance rarely exists without good reason, and its absence would almost certainly have a negative impact. Step-wise changes will help minimise this risk.
Another reason is that it is often difficult to see what the ultimate best arrangements would be. These will evolve over time, as the organisation responds to the changes already made. A wholesale implementation will almost inevitably fail, which will hardly improve the appetite for future attempts.
3. Don’t over-engineer
Assurance professionals tend to like detailed processes. Sometimes these are needed. However, for the most part processes should be high-level and principle-based. The more detail needed, the harder it is to design the common processes that are needed for Integrated Assurance.
As much as possible, assurance providers should be able to work anywhere within the framework. Differences in required skills, knowledge and experience should be minimised. This will ensure efficient use of resources, and break down barriers between assurance disciplines.
Common reporting formats should be adopted. Different formats increase administration and bureaucracy, complicate consolidation of findings and conclusions, and maintain perceptions of assurance fragmentation.
As with much in life, the adage of ‘keep it simple’ applies to Integrated Assurance.