Steering your way around common errors in the design of asurance arrangements is the best way to deliver a happy IT project

There is no doubt that major IT system implementation failures over the past 30 years weigh heavily on people’s mind when planning, procuring, implementing and using new systems.

The reasons for such failures are often complex, but the impact of not recognising that there are fundamental issues with a project – and putting in place remedial action – can be catastrophic financially, operationally and reputationally.

However, there are a number of common mistakes that organisations make in designing the assurance arrangements for their project:

  1. Assurance plays no part in the overall project governance or delivery structure – it is either not thought about or not deemed to be important by the project team.
  2. External assurance is not funded as part of the overall business case for the project, making it difficult to include once the business case has been signed off.
  3. Assurance is undertaken by internal stakeholders who may be (often unintentionally) influenced by their colleagues in the project team, leading to either internal ‘group think’ or a lack of challenge, particularly on difficult issues.
  4. Assurance is not built into every stage of the programme, but starts and ends with the solution deployment.
  5. Audit and assurance are mixed up. An audit will verify that the project has undertaken the agreed actions (retrospective review), whilst an assurance review will provide recommendations to ensure that the project achieves its objectives.
  6. Office of Government Commerce gateway assurance is not always the best solution: Although OGC gateway assurance reviews use a tried and tested methodology for public sector projects, it is fixed in its approach and reporting format, and is often not flexible enough to meet client needs. Such reviews can only be undertaken by accredited and trained suppliers, and review teams will often comprise team members with limited sector experience.

Project assurance works best when it is:

  • Built into every stage of the overall project lifecycle from requirements definition to post-implementation review of benefits delivery
  • Properly costed and funded through the project business case
  • Undertaken by an external organisation with expertise in the sector within which the deployment is to take place
  • Modular, flexible and responsive to the needs of organisations who are at various stages of planning, procuring or implementing digital solutions
  • Tailored to the specific requirement of the Senior Responsible Owner (SRO)
  • Based on industry ‘best practice’ principles (such as the OGC Gateway reviews)
  • Focused on developing practical solutions to address the identified issues to enable the project to move forward safely and at pace
  • Seen as a core partner in the successful delivery of the project
  • Reported in an open and constructive manner, enabling the client to hear at first hand the assurance observations and recommendations, and to challenge the findings
  • Complemented by internal audit to ensure that the project team follow through and deliver on the assurance recommendations in a timely manner.





In summary, there are still too many large digital implementations that do not have appropriate assurance arrangements in place to reduce the risk of their organisation becoming the next high profile digital solution disaster.

By ensuring that external assurance is built into every step of the project, combining it with the rigour of internal audit to ensure that recommendations are actioned, and using assurance in an iterative and developmental manner (in a trusted partnership with an assurance supplier to help guide the project to achieve its intended outcomes), SROs and project teams can significantly reduce the risks of this happening.

Adam Drury is director at GE Healthcare Finnamore