Unlocking certainty – assurance is the key

Mark Savage

Infrastructure Global Operations Lead


Assurance should be at the heart of every project - but is only truly effective when embedded early, using a suitable framework.

Assurance is essential for identifying and mitigating risk, but it is often introduced too late to a project to be truly effective. Embedding assurance at the earliest possible stage not only gives stakeholders confidence, it can also enhance decision-making.

Embedding assurance early

Before a programme is even commissioned, independent assurance teams should be empowered to challenge the future viability of an asset both at a macro and a project level.

For example, external risks should be assessed, such as checking compliance with current and future legislation, whether the asset will meet changing consumer demands, and if it can adequately adapt to demographic change and population forecasts. Strategic decisions should also be challenged.

On rail infrastructure projects, for instance, has the most appropriate route been selected? In an airport, is the baggage-handling system cost-effective and future proofed? In a hospital, will the configuration and layout of the building meet future demand?

Lines of defence

In the past five years, several advanced frameworks have evolved to support the way assurance is embedded into a project.

Of these, the lines of defence model (alluding to the different levels of seniority that will scrutinise a project at various stages) is increasingly gaining international acceptance as a best practice approach.

A project should have a minimum of three lines of defence, ensuring that risks are properly and objectively considered at three management levels – the project, programme and board – before key decisions are made.

The first line of defence involves embedding controls, measures, checks and balances within the day-to-day delivery activities at any stage of the project. The scope of this line of defence includes delivery notes, progress, payment schedules and quality checks.

The second line of defence is the responsibility of the overall programme or project leader – for example, the business sponsor, programme manager or regional portfolio head. At this level, assurance verifies that the controls are effective and that the programme is progressing as intended and claimed. Trends are tracked in order to identify potential problems and clashes later in the project.

The third line of defence is the responsibility at the highest level of the organisation, such as the programme board, main board or investment committee. It provides assurance that management controls and objective validation procedures are being applied effectively and that the programme is meeting its baseline and business case criteria.


Although certainty is desirable in any project, it is important that the amount of assurance is proportionate to the scope of the programme. Too little assurance leaves a project vulnerable, while a heavy hand can stifle progress and compromise efficiency.

For example, on a complex major project with numerous contractors and new technology, such as a hospital or a nuclear power plant, controls will be intensive and handson.

Safety considerations aside, heavy control is necessary in order to reduce the risk to the programme due to the multiple interfaces between contractors and the uncertainty of new technology.

If, on the other hand, a project is straightforward, with a sole supplier and little technical or organisational complexity, the control function can be much smaller. This is because there is a proven solution, the workflow is common and the contractor is wholly responsible, with no interfaces to manage.


Assurance is an invaluable means of avoiding lengthy delays and rocketing costs, or, in the worst-case scenario, risks that could derail a project altogether. Most compellingly of all, assurance can give clients confidence that they are investing wisely: building in the right way, at the right time and maximising the benefits for end users and stakeholders.