Click here and type document title - qgcio.qld.gov.au Web viewThis document has been security...
Transcript of Click here and type document title - qgcio.qld.gov.au Web viewThis document has been security...
Click here and type document title
Queensland Government Enterprise Architecture
ICT program and project assurance framework
Final
June 2016
V2.0.0
PUBLIC
Document details
Security classification
PUBLIC
Date of review of security classification
June 2016
Authority
Queensland Government Chief Information Officer
Author
Queensland Government Chief Information Office (QGCIO)
Documentation status
Working draft
Consultation release
Final version
Contact for enquiries and proposed changes
All enquiries regarding this document should be directed in the first instance to:
Queensland Government Chief Information [email protected]
Acknowledgements
This version of the ICT program and project assurance framework was developed and updated by the Queensland Government Chief Information Office.
Feedback was also received from a number of agencies, which was greatly appreciated.
Copyright
ICT program and project assurance framework
Copyright The State of Queensland (Department of Science, Information Technology and Innovation) 2016
Licence
This work is licensed under a Creative Commons Attribution 4.0 International licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/4.0/. For permissions beyond the scope of this licence, contact [email protected].
To attribute this material, cite the Queensland Government Chief Information Office.
The licence does not apply to any branding or images.
Information security
This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.
Contents
1Introduction5
1.1Purpose5
2Assurance profiling5
2.1Purpose5
2.2Process5
2.2.1Assurance profiling assessment criteria5
2.2.2Assurance levels6
Level 1 assurance - Internal6
Level 2 assurance External to project7
Level 3 assurance External to department7
Level 4 assurance External to government7
2.3Practice7
3Assurance planning7
3.1Purpose7
3.2Process7
3.2.1Reviews within the assurance plan8
3.3Practice8
4Assurance reviews8
4.1Purpose8
4.2Process9
4.3Practice9
4.3.1Programs9
Gate 0 - Strategic assessment9
4.3.2Projects9
Gate 1 - Preliminary evaluation10
Gate 2 Readiness for market10
Gate 3 Investment decision10
Gate 4 - Readiness for service10
Gate 5 Benefits realisation10
4.3.3Agile projects10
4.3.4Gateway overview11
4.3.5Review timeframe11
4.3.6Review team numbers11
5Assurance reporting12
5.1Purpose12
5.2Process12
5.3Practice12
5.3.1QGCIO reporting requirement12
5.3.2Overall Assurance report RAG status13
5.3.3Assurance report recommendation RAG status13
6References13
QGEAPUBLICICT program and project assurance framework
Final | v2.0.0 | June 2016Page 13 of 13
PUBLIC
Introduction
The establishment of consistent assurance processes provides confidence that programs and projects are committed to the successful delivery of initiatives and services across the Queensland Government.
The Queensland Government ICT program and project assurance framework provides a mechanism for independently reviewing and advising on ICT and ICT-enabled initiatives to ensure they represent value for money, are viable and are appropriately governed.
Please note, the use of the word initiative throughout this document is intended to mean either program or project.
Purpose
This framework provides information on the process of assurance profiling, planning, reviews and reporting. Every program and project is different, and assurance should be applied sensibly and appropriately. Following the recommended actions for approaching assurance should result in timely initiative reviews that provide tailored advice and help to identify opportunities for successful delivery.
This document is broken down into the following sections that align with the recommended actions for approaching assurance:
assurance profiling
assurance planning
reviews
reporting.
Assurance profilingPurpose
Assurance profiling is the first step to determine the appropriate assurance level and the degree of independence and scrutiny required to adequately address the complexity and impact implications that the program or project represent to service delivery.
Minor initiatives will attract an assurance level of 1, while critical initiatives will attract level4. Therefore, as the assurance level increases, so too does the requirement for independent assurance analysis. This levelling will ensure appropriate assurance is applied to the initiative, therefore avoiding over or under assuring.
ProcessAssurance profiling assessment criteria
The assurance profiling process analyses nine criteria to calculate an initiatives assurance level. Robust discussion with the Senior Responsible Owner (SRO) (and/or Project Executive) surrounding these characteristics will assist in understanding the benefits of assuring the initiative as well as increase focus on areas of concern.
Finance: The initiative is a significant financial investment. It involves significant time constrained funding.
Government policy: The initiative contributes to a major public service or government policy outcome, possibly involving legislative or policy changes.
Service delivery: The initiative is likely to directly impact front line or community government services and attract external (including media) interest.
Organisational change: The initiative involves substantial organisational change management considerations. It involves stakeholders outside of agency direct control whose buy-in and/or support may be required.
Duration: The initiative will be undertaken over an extended period or there are potential delivery challenges regarding duration. Example: the solution is not well-defined or has immovable dates.
Complexity: The initiative is innovative and not typical of an initiative undertaken by the agency. Example: it requires complex technology support and skills not available within the agency.
Security: The initiative involves sensitive information or operations requiring higher than normal security and business continuity considerations.
Stakeholder management: Delivery is regarded as challenging. Cross agency support may be required for successful delivery of initiative and realisation of benefits.
Governance: The complexity of the initiative is likely to require an increased governance, scrutiny and specialist management capability.
Assurance levels
Four assurance levels are defined. Each progressive assurance level supports an increasing level of assurance activity, scrutiny, and independence. The table below provides a summary of how assurance can be applied for each level and more detail is provided in the summaries following.
Assurance
Within project
Within dept.
External to dept.
Supplier for major initiatives
QldTreasury
Supplier for critical initiatives
Level 1internal
Level 2external to project
Level 3external to department
Level 4external to government
Level 1 assurance - Internal
Level 1 represents the standard agency project level of assurance, primarily involving the Project Board and internal business area/s staff. This assurance level requires minimal assurance however reviews will still be scheduled and assurance planning still required.
The reviews can be completed by staff working closely with the initiative or staff in the agencys portfolio/program/project office (PMO), etc.
Level 2 assurance External to project
Reviews can still be conducted from within the agency, but must be external to the initiative to ensure quality levels are maintained. For example, reviews may be performed by a PMO, internal audit team or a suitable governing body. Involvement from senior management, independent from the business area, may also be required.
Level 3 assurance External to department
External assurance is required at this level. You may consider:
using another department with an established assurance service team to undertake your assurance
the Queensland Treasury Gateway delivery function is suitable for initiatives with an assurance Level 3 - it is important to note that only reviews organised by the Queensland Treasury Gateway unit can use the term Gateway Review.
the Department of Science, Information Technology and Innovation (DSITI) also maintain the ICT services standing offer arrangement (Queensland Government employees only) which contains a list of suppliers under Program and Project Gated Assurance (major initiatives).
Level 4 assurance External to government
This is the highest assurance level and requires external to government, independent providers of assurance services for critical initiatives.
DSITI maintain the ICT services standing offer arrangement (Queensland Government employees only) which contains a list of suppliers under Program and Project Gated Assurance (critical initiatives).
Practice
Assurance profiling takes place when a new initiative is identified or when s