Businessman working with new modern computer and business strategy as concept

How to apply leading program project risk management principles over large-scale projects during a disruption

How to apply leading program project risk management principles over large-scale projects during a disruption

10 Minute Read

Large scale projects imply large scale risk. Find tips on how to deal with disruptions by incorporating agile project management auditing techniques outlined in our latest whitepaper.

Partner, National Leader, Internal Audit Services

Applying program / project risk management principles during a disruption

At the best of times, large-scale projects (capital and information technology) face numerous challenges to completion, from labour shortages to cost escalation and mismanagement. Up to 75 percent of megaprojects run overbudget, with Canada’s Institute on Municipal Finance and Governance and Munk School of Global Affairs pointing to “technical challenges, over-optimism and strategic misrepresentations” as the top three drivers of cost overruns and schedule delays on infrastructure projects. [1]

Since 2020, the impact of the global pandemic has seen challenges multiply exponentially, elevating the need for strong project risk management on capital projects of all sizes and types, including modernization transformations. Billions of dollars have been added to project costs, covering everything from skyrocketing material costs to schedule delays due to supply chain disruptions and forced work stoppages.

While COVID-19 was not on anyone’s radar prior to late 2019, a clearly defined project risk management framework can identify early warning signs and reduce risks exacerbated by the pandemic by proactively addressing them before they become events, enabling proponents to complete and achieve the intended outcomes of a project. This whitepaper provides an overview of the fundamentals of project risk management methodologies, with proven agile project management principles established over hundreds of capital projects.

10-step project risk management guidelines

Project managers will be familiar with the nine project management knowledge areas outlined by the internationally recognized Project Management Institute (PMI). Each area described in the Project Management Body of Knowledge Guide (PMBOK) provides guidelines to manage projects of all types and sizes, focusing on integration, scope, time, cost, quality, human resources, communications, risk, and procurement.

However, one area which the PMI doesn’t address is the post-benefits realization. This demonstrates return on investment and is a critical component to show project value to stakeholders, and that the project is achieving what was intended. As such, the following list includes a tenth point, Benefits Realization, to definitively evaluate program / project success from both a functional and financial perspective.

Project management knowledge areas

Integration - Ensures elements of the program / project are properly coordinated. This includes program /project plan development and execution, and integrated change control.

Scope - Activities surrounding the planning, creation, and fulfillment of program / project scope.

Time - Ensure the program / project is completed in a timely and effective manner.

Cost - Ensure that the program / project is completed cost effectively and within the approved budget.

Quality - Ensure the program / project satisfies the needs for which it was undertaken. It consists of the three Q’s; quality planning, quality assurance, and quality control.

Human Resources - Work required to most effectively utilize the program / project team (internal and external) and key stakeholder inputs.

Communications - The work required to timely and appropriately identify, collect, disseminate, and store program / project information among the program / project team and key stakeholders.

Risk - One of the more critical elements of program / project success, this area is concerned with identifying, analyzing, and responding to program / project risk.

Procurement / contract - The focuses on vendor contract administration and contract closeout.

Benefits realization - A subset of quality management that involves the creation of a benefits dashboard to gauge project results against key prioritized functional and return-on-investment requirements.

Agile project management auditing

Traditionally, project audits have been seen solely as output or deliverables based. But if you view project management as an agile, real-time endeavor, you’ll see it’s not the outputs that are critical, it’s the quality of the outcomes – which demonstrate clearly the task achieved what was intended in terms of benefits to be realized. The task could be revenue generation, cost savings, both leading to profit optimization. Or it could demonstrate operational efficiency, automation to successfully streamline operations or elimination of redundancies in processes or personnel.

By applying an agile approach to project management, this will establish a risk-based, decision-making framework that should be applied to every project. To ensure risks are projected, mitigated and resolved in a timely manner that considers future outcomes, an effective agile audit is based on three key pillars.

Auditing Project Control Effectiveness

To view an accessible version of this infographic, please download the accessible pdf.

To accomplish goals in manageable bites, the project manager starts by setting up milestone objectives; for every key milestone, there should be very specific results. These milestones are pared into sprints, following the philosophy of agile project management to undertake a project in waterfall fashion, or one achievement flowing into the other.

Sprints segment blocks of the project into discrete components, thus making it more manageable as you are setting up critical success factors along the way – the larger the project, the more critical that is. For example, a multibillion-dollar project that has a four-year time frame needs to have each step assessed in a timely manner to ensure it stays on track. Post-mortem audits no longer deliver value, particularly when multi-stakeholders with third parties or counterparties are invested. An agile model where milestones are actively tracked and audited, and problems addressed helps ensure external parties are meeting their obligations as the project unfolds.

Project Lifecycle

To view an accessible version of this infographic, please download the accessible pdf.

Project management collaboration

The project management office (PMO) typically is governed by an executive committee and overseen by a program director, who ensures cross functional coordination with the project manager and engineering teams. These leaders keep track of the project controls group and maintain project forecasting and reporting, project accounting, quality assurance and working capital – both accounts payable and accounts receivable. As well, strategic sourcing, internal audit, operations, procurement, and contract management are all areas that are overseen and directed by the PMO.

The collaboration of the PMO and the internal auditor is critical over the entire lifecycle of the project, be that as part of the PMO or the steering committee that oversees the PMO. The strength of the independent, experienced internal auditor lies in being able to view the project strategically, ask insightful questions and help establish the project management and oversight foundation so each of the various stakeholders in volved each know what they need to be doing.

Establishing a Project Management Office

To view an accessible version of this infographic, please download the accessible pdf.

The internal auditor can complete deep dive micro audits in targeted risk areas of the project as the project unfolds through:

  • a real-time project risk register,
  • delivering objective feedback to the project steering committee, executive management and the Board to confirm the project is running as expected and achieving stated goals.

As well, the internal auditor will identify project gaps if things aren’t progressing as management had expected – delivering the impartial validation needed to ensure both accountability and successful performance.

While many view the PMO as driving operational efficiency or effectiveness, the collaboration between the PMO and the internal auditor is more about optimizing three key components of any project - people, processes and systems - so they are all aligned and functioning together.

Project Controls Group

To view an accessible version of this infographic, please download the accessible pdf.

Contingency planning

If something like a pandemic wasn’t included in project risk assessments in the past, it certainly will be in the future. Not many organizations had prepared for the ripple effects of the COVID-19 pandemic which saw material and labour costs skyrocket on disrupted supply chains and an abrupt move to virtual workplaces. Most corporations and organizations had to expand their project time horizons, as well as recalibrate budgets in adapting to the new reality.

And here is where moving away from the traditional concept of a contingency fund comes to play. Rather than succumbing to the common practice of having a flat (e.g., 10 percent) contingency fund to cover expected cost overruns and being overwhelmed by unexpected events, experienced auditors see a risk-based contingency fund that considers all the specific risk factors at each stage of the project, along with risk allocation, being more effective in keeping a project on track.

As part of the project risk management framework, build a contingency fund that ties back to risks you can foresee at each stage or sprint, based on potential likelihood and impact. Even if nobody could have predicted COVID-19 or its significance, going forward, every project will have a contingency fund / plan to incorporate impact of unexpected disruptions. Because it’s not only a pandemic that can halt a project, but as other threats are also becoming more prevalent, such as cyber-attacks, geopolitical issues, labour shortages, union disputes and strikes, protests and riots impacting supply chains, fire and floods, etc.

These are events that if they have not been considered before, should be incorporated into every project going forward, and that would typically be baked into your contingency fund.

For more information, contact Geoff Rodrigues, National Leader, Internal Audit Services, at 416.596.1711 or [email protected].


[1] Cost Overruns on Infrastructure Projects: Patterns, Causes, and Cures


  • Performance

    April 17, 2024

    Conflict in the workplace: the ripple effect on small businesses

    Conflict in the workplace can impact small businesses, affecting team dynamics, productivity, and company culture.

  • Confidence

    April 17, 2024

    Following these steps will protect your practice value if emergency strikes

    You can’t predict the future, but building a plan helps to keep your business protected.

  • April 16, 2024

    How to gain control of your Microsoft Power Platform environment: Tools and governance

    How can you identify the tools you need to support the governance and enablement of your organization’s Microsoft Power Platform solutions?