The process below describes how the Scottish Government manages Independent Assurance Reviews (IAR).
Determining Risk and Complexity
The Senior Responsible Officer (SRO) is responsible for ensuring the Scottish Government’s two-stage Risk Potential Assessment process is completed. This determines whether the change initiative should have Independent Assurance Review (IAR) support. Stage 1 is a short self-assessment intended to filter out low-risk initiatives. Those assessed as Medium or High at Stage 1 must complete the more detailed Stage 2 self-assessment. Initiatives with a Medium/High rating following Stage 2 must contact the Programme and Project Management-Centre of Expertise (PPM-CoE) for an Assessment Meeting to be arranged.
The Assessment Meeting
It takes about ten weeks from this meeting to deliver the review. The meeting allows the PPM-CoE and the SRO to:
- confirm the initiative is ready for review, or record specifically why it is not to be reviewed
- determine what type of review would be most appropriate
- identify the required skill-set and experience for the IAR team and identify provisional dates for the planning meeting and the review
Subsequent to this meeting, the PPM-CoE will liaise with the SRO to agree a final review team configuration and membership.
The Planning Meeting
This is held about two weeks ahead of the actual review. The meeting is chaired by the Review Team Leader (RTL) and provides an opportunity for Review Team Members (RTM) to meet each other and find out more about the initiative, finalise the list of stakeholders, documentation and logistics for the review.
Following the planning meeting the RTL assumes responsibility for liaising with the team delivering the initiative about the interview schedule etc. However, the PPM-CoE must be consulted on any issues that may impact the delivery of a successful review.
The Review Days
The review follows about two weeks after the planning meeting. Reviews are normally conducted over three days. The first days of the review are for stakeholder interviews and evidence gathering, the last day is for finalising the draft report.
The review team discuss 'emerging findings' with the SRO at the end of each day, allowing them to share their early thoughts on the way the review is progressing and offer the SRO the opportunity to correct any misinterpretations or 'off track' thinking to ensure there are no surprises within the review team's report.
The draft report is presented to the SRO on the last day of the review and provides an opportunity to discuss its contents with the review team. Over the following week the SRO and RTL agree a ‘final' report that the SRO copies to the PPM-CoE.
The PPM-CoE send a summary of the report recommendations and the Delivery Confidence Assessment (DCA) statement to the SRO and relevant organisational/Scottish Government Accountable Officer. Where appropriate, the summary of recommendations and DCA is also sent to:
- Scottish Government’s Director, Procurement and Commercial
- the Chief Information Officer
- Deputy Director, Infrastructure Investment
- Director of Digital
The SRO is responsible for further circulation of the report as necessary to stakeholders and team members. The SRO is also responsible for considering any Freedom of Information request for the release of the report.
Within three weeks of the final report, the SRO should update the template with their intended actions for addressing each recommendation. The SRO should then return the completed template to the relevant organisational/Scottish Government Accountable Officer and copy it to the PPM‑CoE.
Following the review, the Scottish Government’s Assurance Director seeks feedback from the SRO and the review team to ensure the review process achieves and maintains high quality standards.