PMO: Second Line of Defence – Integrated Assurance
That was the topic of the January 2020 PMO Flashmob with guest presenter Roy Millard. Roy is the founder and Chairman of the APM Assurance Specific Interest Group and talks to the PMO Flashmobbers with over 15 years experience in this specialist knowledge area of project management.
So what is integrated assurance?
The definition of assurance first of all:
“The process of providing confidence to stakeholders that projects, programmes and portfolios will achieve their objectives for beneficial change”[APM BoK7]
Anyone with a vested interest in a project wants to know if it’s going well and it’s under control – and that needs to be objective and fact-driven. Integrated assurance is:
“The coordination of assurance activities where there are a number of assurance providers”[APM BoK7]
The PMO in integrated assurance is just one of many providers – there are many, for example, quality, gateways, audits, systems and so on. The customer of assurance – who the PMO is providing assurance to – includes project boards, sponsors, SROs, media and the public.
Three Lines of Defence Model
In 2013, the Institute of Internal Auditors (IIA) published the Three Lines of Defence Model. The model focuses on the effective and efficient governance, risk management and control required to provide a holistic level of assurance [you can read more about that model here]
In the model the three lines are:
- First line: management control
- Second line: compliance oversight
- Third line: independent assurance.
Insights from the Session
Here are just some of the points we made a note of throughout the session, you can watch the session for yourself because this is just the tip of the iceberg:
- Business cases were mentioned a lot during the session which means the PMO will also need to know about this subject area too.
- Difficulties to achieve assurance – all those examples listed are pretty much where we generally experience problems in projects so should we be picking those off anyway and looking to see how we can help resolve them?
- For the PMO, it’s a case of getting to the point where we can ask challenging questions and also know that we’re probing in the right areas to find the answers
- The GRA Trilogy – governance, risk and assurance – there’s also a GRC, the C being compliance. Compliance is not assurance.
- The PMO has to think about the right assurance service for the category of projects – it’s not the same level for all types and sizes.
Why should the PMO care?
If you’re working in the PMO, surely you have an interest in the success of projects – assurance is about promoting the probability of success. If you’re not interested in improving the probability of project success don’t do it!
The Video Session
There’s a bit of cut out from the audio but we think it’s not too annoying so wanted to still share the video session with you.
You can also download the session presentation [download the PDF]
More About Roy
For 15 years until November 2017, Roy was responsible for the planning and delivery of all internal audits of Transport for London’s Investment Programme, covering project and programme management, procurement and contract management, and for a period health, safety & environment. Prior to that, Roy worked as a project manager, risk manager and electronic engineer on many communications systems projects of values ranging to £1bn+. He now works as an independent consultant (trading as P3 Risk and Assurance) providing advice and support on matters of governance, risk and assurance in project organisations; training; and mentoring. He also works as an associate with a number of consultancies.
Roy has an Honours degree and a post-graduate Diploma in Management Studies; is a Fellow of the APM and a full member of the Institution of Engineering and Technology; was previously an APM Trustee; and is the founder and Chairman of the APM Assurance Specific Interest Group. Find Roy over on: LinkedIn, Facebook or Twitter