Project Management Institute

Ready for risk reporting?


Because senior management hates surprises, risk audits have become statutory. Are you prepared?


On 1 August 2002, the New York Stock Exchange (NYSE) required its listed companies to conduct risk management audits through internal audit groups. This is now going to the Securities and Exchange Commission (SEC) for a final ruling.

As a result, accountability, transparency and full disclosure are now the “True North” of all boards of directors and senior management. For the last three years, cost and delivery have driven program and project performance metrics, but today's senior managers are interested in managing risk.

All too often, program and project managers have been criticized for not linking their projects to strategic objectives. Program managers are thought to have a tactical perspective, and project managers are believed to focus only on activities. This attitude results in professional hara-kiri.

All program and project managers should be aware how the new corporate strategic initiatives impact them and how they can align with the new governance initiatives. Senior management and internal auditing now want to know what risks reside in projects and how they are controlled.

What Types of Audits to Conduct?

The NYSE and SEC require organizations to conduct an audit that will be “an independent, objective assurance and consulting activity designed to add value and improve an organizations operations,” according to the Institute of Internal Auditors ( “It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

There are a number of programmatic and project implications to this definition, specifically:

Good corporate strategy is based on risk management

Significant programmatic and project risks must be identified, controlled and audited

Audits follow a systematic and disciplined approach

Programmatic and project audits assist an organization achieve its business strategies and objectives.

Program Management Audit

Process risk management and process controls are the significant bench-marks of program management audits. According to “Internal Control – Integrated Framework” by the Committee of Sponsoring Organizations of the Treadway Commission (, a programmatic risk assessment evaluates:

Control Environment. Senior management sets the program and project tone, vision, mission and goals. Daily project control defers to the project managers and team stakeholders, who own the process.

Risk Assessment. Effective risk management requires consistent programmatic processes that are stabilized, controlled and managed.

Control Activities. Programmatic control activities consist of the people, policies, suppliers and other factors that ensure that program portfolio risks are identified, monitored and mitigated throughout the project, product or contract life cycle. Controls may include approvals, authorizations, validations, verifications, reconciliations and segregation of authorities.

Information and communication. Without program information and communication, you have no control.

Monitoring. Portfolio control systems and processes are monitored at the programmatic level. Ongoing monitoring should ensure continual improvement through corrective and preventive actions.

Project Management Assessments

“ORCA” is a common project risk audit methodology. Its principal elements are:

Objectives. Identify organizational and project goals and ensure alignment

Risks. Identify project threats

Controls. Define project checks and balances

Assess. Evaluate the effectiveness of project controls to satisfy business/ project objectives and manage risks.

When conducting a project risk assessment, the auditor typically evaluates how the program or project manager directs and controls:

Actual or potential risk impacts of the project

Safety, environment and or health issues

Degree or magnitude of these impacts

Frequency or likelihood of these impacts.

All program and project managers both in private and governmental organizations should know how to manage and analyze risks. PM

Greg Hutchins is a principal management consultant with QPE, a program, process and project management advisory firm in Portland Ore., USA. He is author of Value Added Auditing. QPE's core competency is leading/coaching project teams to do the right things right on time.

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI.

Send comments on this column to




Related Content

  • PM Network

    Trees of Life

    By Hendershot, Steve The world needs more trees—and a lot of them—to stem the damage wrought by mass deforestation. Brazil alone is destroying the equivalent of three football pitches per minute in the Amazon rainforest…

  • PM Network

    Rising Risks

    By Nilsson, Ryan For as long as humans have been building cities, they have migrated toward the coasts -- for food, ease of transportation and any number of ecological benefits. Today, it's estimated that more than…

  • PM Network

    Playing with Fire

    By Jones, Tegan With the coastline of an entire continent burning, a scorched-earth urgency had teams across Australia racing to control the damage. Between September 2019 and January 2020, bushfires ravaged…

  • PM Network

    From the Rubble

    By Thomas, Jennifer Puerto Rico's infrastructure woes began long ago. But a series of earthquakes this year coupled with hurricanes Irma and Maria in 2017—which racked upUS$139 billion in damage—exacerbated the U.S.…

  • PM Network

    Trading Transformed?

    Blockchain—the technology that made cryptocurrency mainstream—is now entering the U.S. stock market. In November, the U.S. Securities and Exchange Commission approved a pilot project to use…