Using Technology to Audit Your ISO 21500 Project Management Compliance

There is a growing trend among organizations who seeks excellence in what they deliver to use ISO (International Organization for Standardization) standards to create documents that provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. For those organizations who are projects centric, there are a number of ISO standards that could be applicable to their business operations including ISO 9001 for Quality Management Systems, ISO 14001 Environmental Management System, ISO 18001 Occupational Health and Safety Management Systems among others. Nevertheless, the one that focus on project management is the ISO 21500 which provides guidance for project management and can be used by any type of organization, including public, private or community organizations, and for any type of project, irrespective of complexity, size or duration.

ISO 21500 and PMI PMBoK

The ISO 21500 provides high-level description of concepts and processes that are considered to form good practice in project management. For those organizations who have adopted the professional best practices of the Project Management Institute (PMI) Project Management Body of Knowledge (PMBoK) will not find difficulty in pursuing the ISO 21500 certification. For example, the ISO 21500 divides the project processes into five process groups similar to PMBoK. There is only slightly different naming of few processes and knowledge areas. For example, for processes instead of “Executing” it is named as “Implementing” and instead of “Monitoring and Controlling” it is named as “Controlling”. For the ten knowledge areas, the only difference is in “Human Resources” where it is named as “Resources” in ISO 21500.

ISO 21500 Audit Checklist

Most project centric organizations usually follow some kind of standards or practices, best or not, in performing their project management processes. Therefore, it is important to carry an initial assessment of what is being followed at the different projects being delivered by the organization. This will help in identifying the gaps between what the organization have adopted today and what they need to adopt to enable them to become ISO21500 certified.

For example, for project risk management, the assessment needs to take into consideration the organization practices in risk identification, assessment and control. The assessment could for example include the following specific queries that need to be investigated and assessed.

1.      Risk Identification

a.      How often are risks identified through the project life cycle?

b.      How are these risks managed?

2.      Risk Assessment

a.      Is probability of the occurrence and impact of the identified risk assessed?

b.      What techniques are being used in the project to priorities, manage and record the identified risks and their resolutions?

c.      Are risks that may impact time schedules or project budget, identified and maintained separately?

3.      Risk Control

a.      Does the project plan consist of a contingency plan?

b.      Do project risks form part of project progress reports?

The assessment will use the five grading levels shown below to rate the extent of adoption of the relevant project management best practices by each project. The rating values could be adjusted to non-linear value by giving a score of 10 for Superior, 7 for Good, 5 for Acceptable, 3 for Marginal and zero for Unsatisfactory. Nevertheless, it should be the same rating across the whole organization.

PMWeb Project Management Information System (PMIS) will be used to create a template for the ISO 21500. The layout and format of this template is highly configurable and depends on the ISO Audit team requirement. The header will usually include the project name, date, who performed the audit, status among others. The table will include the ISO 21500 process group name, process ID, process name, the audit questions, score value and notes. Again, additional fields can be added if needed. For example, the organization might consider adding a weight value for each checklist question to provide a weighted scope for each project management process and eventually each process group.

The ISO 21500 audit checklist can also be designed to be specific for each of the ten-project management process. For example, there could be an audit checklist for Scope, Time, Cost, Quality, Resources among others. This is an option and not a requirement.

It is also important to identify and maintain copies of all documents that were provided and reviewed when assessing the project management processes. For example, the project risk management assessment would require the team to identify if the project team are maintaining the risk register, if they are using any risk analysis tools or techniques like the Monte Carlo simulation for assessing the project’ schedule confidence level, if there is any risk review meetings, if there is any policy or document process for identifying, assessing and controlling risks among others.

All of those documents need to be uploaded into PMWeb document management repository and then attach those documents to the ISO 21500 audit checklist. PMWeb document management repository will have a folder for each project management process, for example scope management, time management, cost management, resource management among others. For each process group folder, subfolders will be created to map the specific processes within a group. For example, for the project risk management folder, there will be three subfolders; Risk Identification, Risk Assessment and Risk Control. The filing structure can be also expanded to include the five process groups; Initiation, Planning, Implementing, Controlling and Closing. In addition, if the assessment also includes program and portfolio management, additional folders can be created to add those documents.

To enforce governance when performing the ISO 21500 audit, workflow needs to be assigned to the Audit Checklist where it will include the different roles and responsibilities in submitting, reviewing and approving the performed audit. This is a highly recommended practice as it will help to keep track of all performed audits and who was involved in each particular audit. This becomes also more critical when the ISO 21500 audit is performed by more than one auditor depending on which project management process being audited.

Reporting the Audit Results

The ISO 21500 audit data captured across the organization’s portfolio of projects will become immediately visible for the ISO 21500 certification team. The tabular report will list the ten project management processes followed by which of the five project phases it belongs to and then the specific project management processes for each group. The report could have been expanded to include the specific audit checklist questions for each project management process as shown above for project risk management. The report also shows the weighted ISO 21500 compliance score for each project management process and for each project being assessed or audited. The color of the cells uses the color scheme set for each audit grade.

The graphical bar chart shows the weighted assessment grade for the ten-project management process for each project being assessed. The bar chart could have been detailed or designed in different forms and formats to meet the audit team requirements.

Additional reports can be designed that will focus on the improvement of ISO 21500 across the organization’s projects. Although the report tabular layout will be similar to the one above but instead of reporting against each report, the reporting will be against each year, that is 2017, 2018, 2019 and so on assuming that the organization will perform the ISO 21500 audit on annual basis. The value for each year will be the average score across all projects. The report could include filters to enable the organization to select a specific project, a program or a portfolio of projects.

Although this article is not about how to implement ISO 21500 standard or the benefits that an organization could gain from adopting such standard, nevertheless, the article details on how organizations who want to implement such standard can use technology such as PMWeb PMIS to create a straight forward solution that will help them to assess and diagnose their current project management practices and identify the gaps in meeting project management best practices. This will enable the organization leadership team to identify the needed processes improvements to meet the desired project management maturity level the organization wants to achieve.