AGB recently hosted a webinar with Baker Tilly and Minnesota State Colleges and Universities (Minnesota State) on project risk reviews. Speakers from both organizations discussed the dynamics of project risk reviews (PRRs), including the board perspective, the recommended approach for higher education institutions, the questions boards should be asking, and the lessons Baker Tilly has learned over years of performing these types of assessments for colleges and universities.
Baker Tilly and Minnesota State: A Case Study
For the last several years, Baker Tilly has supported Minnesota State’s internal audit function. The Office of Internal Auditing at Minnesota State works closely with leaders from Minnesota State’s 37 colleges and universities, as well as the system office, to address areas of risk and opportunity across the system. One such area of opportunity is Minnesota State’s effort to replace its 20-plus-year-old homegrown enterprise resource planning (ERP) system. The multiyear effort to replace that system with next-generation technology to support its students, faculty, and staff is called “NextGen.” Such a complex undertaking requires significant human and financial resources and, like any major system implementation, brings the potential for financial overruns, insufficient functionality, missed deadlines, and reputational risk.
To address these risks, Minnesota State’s Office of Internal Auditing, in collaboration with board and senior leadership, put into place a series of project risk reviews to provide assurance to the board and senior leaders, and advice to management, at each major step of the implementation process. To this point, the PRRs have resulted in compelling benefits such as increased trustee confidence, better transparency for stakeholders, validation of project risks and mitigations, and objective advice to leadership.
The outcomes of this ongoing project are affecting the lives of 340,000 students and more than 7,000 employees. Eric Wion, the executive director of internal auditing at Minnesota State, described the results of the PRRs on the webinar as “high value, very successful, and well received.”
The Risks: Why Boards Need Assurance
The Minnesota State Trustees needed assurance that student and institutional risks were being properly managed. In collaboration with Baker Tilly as its cosourced internal audit partner, Minnesota State developed a plan to conduct periodic PRR checkpoints. As of December 2020, Baker Tilly has conducted six PRR checkpoints to assure that the project risks are accurately highlighted, identified and managed throughout the project life cycle.
The complexity of a higher education environment amplifies the challenges of major systems implementations including the complexity of decentralized operations, budget constraints, and the substantial number of people impacted. Stakeholder needs, likewise, increase the project complexity, as such projects must consider the interests of the board and other institutional leaders, as well as the needs of faculty, staff, students, regulatory considerations, along with, of course, technological necessities.
Sizable challenges and needs present an array of relevant risks. Some of the common large project risks are:
- Project complexity and length—More time means more people, more potential resource turnover and more possibility of unforeseen challenges.
- Knowledge gaps—Internal resources often don’t have sufficient time, knowledge of, or experience with systems or business processes to oversee a large project.
- Cost of implementation—The financial impact of staffing internal resources and hiring outside vendors can be significant.
- Required changes—Current business processes will have to change, which can ultimately transform the organization’s operating approaches and even culture
- Material impacts—Financial, regulatory, and operational reporting could be affected.
From a board standpoint, there are four primary areas to focus on in any PRR. The four key project activity categories to monitor throughout a project are:
- Project governance and management—Is the proper leadership overseeing the project, managing the work on a day-to-day basis, and making the strategic decisions?
- Stakeholder involvement—Are constituents participating in defining and validating requirements and activities?
- Organizational change management—What are the goals of the project and is management laying out the agreed-upon plan, communications, training, and support to achieve those goals?
- Project execution—What are the tasks, efforts, and implementation activities? And does the board, which should have no role in the day-to-day execution, still have adequate insight into all major aspects of the project process?
The Right Approach: How to Tackle a Project Risk Review
A well-orchestrated PRR provides an objective assessment of projects, which breaks down further into two main categories: (1) processes (i.e., activities), which are being executed according to plan, leading practices, industry standards and/or regulatory requirements, and (2) products (i.e., outputs), which are delivered in alignment with project requirements and goals.
A PRR may be conducted for any type of project, including major change initiatives, system implementations, migrations, conversions, major software releases or upgrades. In any case, the primary goals of PRRs are generally to:
- Objectively and proactively identify risks, issues, and deficiencies;
- Reduce the likelihood of issue recurrence and/or downstream effects;
- Provide recommendations for mitigation and remediation of risks, issues and deficiencies; and
- Enhance management insight into project performance to mitigate the risk that the project will not achieve goals in terms of schedule, scope, and budget.
While all PRRs typically involve some type of analysis and evaluation or testing of processes and products, there are three primary types of PRR scopes:
- Comprehensive—Provide ongoing assessments, covering all phases of a project.
- Milestone—Provide point-in-time assessments at or around specific milestones of a project (e.g., completion of testing).
- Customized—Provide an overall point-in-time “snapshot” assessment of a project’s health, depending on project objectives or specific needs.
The most likely outcomes of PRRs, from a high-level perspective, are increased visibility and big-picture clarity for the board and senior leaders surrounding a project. This ideally facilitates the early detection of any risks or issues, which should in turn improve the quality of the project and ultimately help the project succeed.
Two examples of a PRR checkpoint deliverable for the board are below:
Perhaps the most important topic to cover is the benefits of a PRR, which are broken down into five main segments:
- More efficient and effective project execution through project optimization in accordance with industry leading practices;
- Overall cost savings through early risk and issue detection, reducing the need for re-work or later changes;
- More engaged stakeholders through increased visibility over project activities and potential areas of concern;
- Increased end-user acceptance through proper expectation setting and resolution of major issues before the project goes live; and
- Less intrusive approach than traditional audits, such as pre- and postimplementation reviews.
The Role of the Board: What Questions to Ask and What to Keep in Mind
Boards need to strike the right balance with PRRs. They must position themselves to oversee an overall project and remain available to address big-picture issues, all while allowing the right people to steer the project on a daily basis. With this balance in mind, we have highlighted some pertinent questions that boards should ask.
Baker Tilly has seen many of the same themes arise over the course of spearheading PRRs for various higher education institutions. One key lesson our team has learned is that institutions benefit from dedicated, experienced project managers. Not everyone has the training, experience, certifications, knowledge of higher education and insight into the culture of an institution to handle this role and juggle all of the responsibilities.
Some other tips for ensuring the success of major projects include:
- Consider relevant legal and regulatory requirements;
- Prioritize organizational change management;
- Communicate proactively and consistently with the project team;
- Continuously monitor performance of key vendors;
- Engage key institutional users early and regularly; and
- It’s more important to get it done right than on schedule
With these tips, tools, and focus areas in mind, Boards can provide oversight of transformational projects and leverage PRRs to gain assurance institution wide.
References and Resources
- WEBINAR: Board Oversight of Transformational Projects: Using Project Risk Reviews to Gain Assurance and Support Success (12/10/2020)
- PODCAST: Baker Tilly’s Higher Ed Advisor podcast
- Baker Tilly’s Fiscal Resilience Resource Center
With Thanks to AGB Sustaining Sponsor: Baker Tilly
Raina Rose Tagle
Raina Rose Tagle is a partner at Baker Tilly. Mike Cullen is a director in Baker Tilly’s risk advisory practice.
Opinions expressed in AGB blogs are those of the authors and not necessarily those of the institutions that employ them or of AGB.