Ready for risk reporting?
Because senior management hates surprises, risk audits have become statutory. Are you prepared?
BY GREG HUTCHINS, CONTRIBUTING EDITOR
On 1 August 2002, the New York Stock Exchange (NYSE) required its listed companies to conduct risk management audits through internal audit groups. This is now going to the Securities and Exchange Commission (SEC) for a final ruling.
As a result, accountability, transparency and full disclosure are now the “True North” of all boards of directors and senior management. For the last three years, cost and delivery have driven program and project performance metrics, but today's senior managers are interested in managing risk.
All too often, program and project managers have been criticized for not linking their projects to strategic objectives. Program managers are thought to have a tactical perspective, and project managers are believed to focus only on activities. This attitude results in professional hara-kiri.
All program and project managers should be aware how the new corporate strategic initiatives impact them and how they can align with the new governance initiatives. Senior management and internal auditing now want to know what risks reside in projects and how they are controlled.
What Types of Audits to Conduct?
The NYSE and SEC require organizations to conduct an audit that will be “an independent, objective assurance and consulting activity designed to add value and improve an organizations operations,” according to the Institute of Internal Auditors (www.iia.org). “It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
There are a number of programmatic and project implications to this definition, specifically:
■ Good corporate strategy is based on risk management
■ Significant programmatic and project risks must be identified, controlled and audited
■ Audits follow a systematic and disciplined approach
■ Programmatic and project audits assist an organization achieve its business strategies and objectives.
Program Management Audit
Process risk management and process controls are the significant bench-marks of program management audits. According to “Internal Control – Integrated Framework” by the Committee of Sponsoring Organizations of the Treadway Commission (www.coso.org), a programmatic risk assessment evaluates:
■ Control Environment. Senior management sets the program and project tone, vision, mission and goals. Daily project control defers to the project managers and team stakeholders, who own the process.
■ Risk Assessment. Effective risk management requires consistent programmatic processes that are stabilized, controlled and managed.
■ Control Activities. Programmatic control activities consist of the people, policies, suppliers and other factors that ensure that program portfolio risks are identified, monitored and mitigated throughout the project, product or contract life cycle. Controls may include approvals, authorizations, validations, verifications, reconciliations and segregation of authorities.
■ Information and communication. Without program information and communication, you have no control.
■ Monitoring. Portfolio control systems and processes are monitored at the programmatic level. Ongoing monitoring should ensure continual improvement through corrective and preventive actions.
Project Management Assessments
“ORCA” is a common project risk audit methodology. Its principal elements are:
■ Objectives. Identify organizational and project goals and ensure alignment
■ Risks. Identify project threats
■ Controls. Define project checks and balances
■ Assess. Evaluate the effectiveness of project controls to satisfy business/ project objectives and manage risks.
When conducting a project risk assessment, the auditor typically evaluates how the program or project manager directs and controls:
■ Actual or potential risk impacts of the project
■ Safety, environment and or health issues
■ Degree or magnitude of these impacts
■ Frequency or likelihood of these impacts.
All program and project managers both in private and governmental organizations should know how to manage and analyze risks. PM
Greg Hutchins is a principal management consultant with QPE, a program, process and project management advisory firm in Portland Ore., USA. He is author of Value Added Auditing. QPE's core competency is leading/coaching project teams to do the right things right on time.
Send comments on this column to email@example.com.
PM NETWORK | NOVEMBER 2002 | www.pmi.org