DERBYSHIRE BUILDING SOCIETY RISK ASSURANCE DEPARTMENT Audit Area: Project Management Ref No: Section: 4 Risk management

Project: Programme of Audit Tests

TEST REF

Reviewed By: __________________ Date:

Test results

_______
WP REF EXEPN

4.1

Risk management
Projects require to be progressed with regard to the risks associated with their delivery. These risks and their management will vary through the project lifecycle. Project board/sponsor

4.1-1

Review the role of the project board and/or sponsor does their role include: o Adequate definition about how risk is to be managed? o Are responsibilities for the management of risk clear and unambiguous? o Are reporting requirements set i.e. for project manager to report to them? o Are risks affecting the achievement of the corporate plan considered and reported to senior management? Has the project board assessed the level of risk from the business case and set a tolerance for the project to operate within? Has the project manager been advised of any external risks that may affect his project? Does the business case strike a balance between risks and benefits?

4.1-2

4.1-3

4.1-4

Project Manager 4.1-5

Graham.Raymond@thederbyshire.co.uk Page 1 Updated by ___ Date ___

DERBYSHIRE BUILDING SOCIETY RISK ASSURANCE DEPARTMENT Audit Area: Project Management Ref No: Section: 4 Risk management Project: Programme of Audit Tests
TEST REF

Reviewed By: __________________ Date:

Test results

_______
WP REF EXEPN

4.1-6

Review the project managers role in relation to risk management, does it include: o Responsibility for risk identification? o Are risks adequately recorded? o Are risks and mitigating actions regularly reviewed? o Preparation of a plan of activity to identify risks throughout the projects life i.e. undertaking risk assessments at key points i.e. business case preparation, design, implementation? Has a risk management process been developed and issued to all those involved with the project, this should include the project team and any other relevant people associated with it i.e. business management, designers. Are roles and responsibilities clear?

Graham.Raymond@thederbyshire.co.uk

Page 2

Updated by ___ Date ___

DERBYSHIRE BUILDING SOCIETY RISK ASSURANCE DEPARTMENT Audit Area: Project Management Ref No: Section: 4 Risk management Project: Programme of Audit Tests
TEST REF

Reviewed By: __________________ Date:

Test results

_______
WP REF EXEPN

4.2

Risk management planning

A plan should be in place detailing what risk management processes are in place and what activities will be undertaken throughout the project

4.2-1

Has a plan been prepared and issued to all those involved? Does it include what will be done, when and by whom o Roles and responsibilities o What will be done? o By who? o When? o What risk management processes are to be followed? o Are risks assessed as part of the change process (see also separate change AWP) o Are risk assessments planned to be undertaken as part of each stage of the project? o Are reporting requirements defined for those in the project team o Are reporting requirements to the project board/sponsors defined, this may be by way of regular progress reporting or exception reporting in the event that, for example a new high priority risk is identified. Review the risk assessment activities detailed in the risk plan and confirm: o That planned activities appear reasonable for the project, consider its size, complexity, timing, phases etc.
Page 3 Updated by ___ Date ___

4.2-2

Graham.Raymond@thederbyshire.co.uk

DERBYSHIRE BUILDING SOCIETY RISK ASSURANCE DEPARTMENT Audit Area: Project Management Ref No: Section: 4 Risk management Project: Programme of Audit Tests
TEST REF

Reviewed By: __________________ Date:

Test results

_______
WP REF EXEPN

o o o o

Have the planned activities been undertaken on time? Have the outcomes been adequately documented with any follow-up actions identified and included in the project plan? Have risks identified been added to the risk log (see section 2 below) Have all risk areas been considered: Strategic / commercial Economic / financial / market Legal & regulatory HR & organisational Political Environmental Technical & IT Operational

4.2-3

Review the reports prepared for the project board/sponsors: o Have they been prepared on time? o Do they accurately reflect the risk log current state assessments Has the risk department been engaged and asked to provide appropriate levels of support and involvement? Has this level of support been provided are risk actively engaged? Are DBS risk management policies and procedures being followed?
Page 4 Updated by ___ Date ___

4.2-4

4.2-5 4.2-6

Graham.Raymond@thederbyshire.co.uk

DERBYSHIRE BUILDING SOCIETY RISK ASSURANCE DEPARTMENT Audit Area: Project Management Ref No: Section: 4 Risk management Project: Programme of Audit Tests
TEST REF

Reviewed By: __________________ Date:

Test results

_______
WP REF EXEPN

4.3

Risk logs
An up to date log should be maintained of all risks associated with the project and it should be regularly reviewed.

4.3-1

Obtain a copy of the risks log and confirm: o A unique reference is allocated to each risk o Date risk identified and by whom o A brief description of each risk is included o That risk categories have been allocated to allow grouping and easier review i.e. legal commercial, HR o Impacts and likelihood have been assessed o Timing of the risk impacting has been considered o Have mitigating actions been agreed o Are contingency plans prepared where necessary, for example: these may be business continuity type plans or plans to cover the risk of a leak to the press or the risk of industrial action o Where there are no mitigating actions has the risk been formally accepted is there an effective mandate in place to detail who can accept risks o Does each risk have an owner this should be a named individual not a department o Is there a date for review/completion of mitigating actions? o Date and outcome of the last review
Page 5 Updated by ___ Date ___

Graham.Raymond@thederbyshire.co.uk

DERBYSHIRE BUILDING SOCIETY RISK ASSURANCE DEPARTMENT Audit Area: Project Management Ref No: Section: 4 Risk management Project: Programme of Audit Tests
TEST REF

Reviewed By: __________________ Date:

Test results

_______
WP REF EXEPN

4.3-2 4.3-3 4.3-4 4.3-5

Current status i.e. dead, reducing, increasing, no change

Review the risks on the log, do they include all risks identified i.e. in the business case, at risk assessment workshops Talk to a sample of people in the project team, are they aware of the risk process, their responsibilities and how to raise a risk? Is there a standard template in place to support this? Does the risk log provide evidence that the process is used? Do the risks raised on the risk log look reasonable for the project under review, are all obvious risks included?

Graham.Raymond@thederbyshire.co.uk

Page 6

Updated by ___ Date ___