We perform risk audits on projects to ascertain whether we are deviating from the desired budget, schedule, and quality levels we specified at the start of the project. At the 50,000 foot level, risk auditing looks like the following:
- Define the problem
- Choose an audit team leader
- Choose an audit team or let the leader choose
- Establish a rubric for scoring the quality of the audit
- Accumulate evidence, facts, information
- Assess evidence, facts, information
- Present a report
We should schedule our audits at least as frequently as major milestone and more often if we are having problems with the project. The audit team must be objective assessors of project or program issues. We recommend hiring an external auditor only if objectivity is likely to be compromised.
The rubric will primarily cover the triad of delivery, budget, and quality with some additional analyses for known historical issues; for example, we might look at adherence to the statement of work (SOW). Resource issues can also be an auditable item.
We accumulate evidence by analyzing documentation, especially the project time line, interviews, procurement, staffing, and budget among others. Once we have our evidence organized for analysis, we assess the project for risk, qualitative at least and quantitative when feasible, and produce a report.
The project risk analysis report can be delivered to the project management office or appropriate executive function. Once the team delivers the report, they may be given authorization to schedule further audits, which as we indicated, should occur at least as often as major milestones (reviews). In fact, we suggest that the risk audit be a part of the review agendas.