Technology Assurance Framework – Governance and project control

April 24, 2024 by No Comments | Category Digital Assurance Office, Digital Scotland, Technology Assurance Framework

Guest blog by Laura Johnstone, Continuous Improvement team, Digital Assurance Office.

The Digital Assurance Office (DAO), who administer the Technology Assurance Framework, share the lessons learned from their assurance reviews to support others to deliver more successful projects and programmes.

This blog shares our insights relating to governance and project control. This is our fourth insights blog. You can catch up on previous assurance insights on our blog.

Major digital project reviews

Between 2017/2018 and 2022/2023, 196 major digital project reviews were  completed under the Technology Assurance Framework (TAF), resulting in 1748 recommendations. Governance and project control is the top recommendation,  featuring in more than half of all reports from reviews and making up 11% of all recommendations.

The DAO also assess services for compliance with the Digital Scotland Service Standard. Dominant recommendations from these assessments also focus on the need for robust governance structures to be put in place, with clear escalation and decision-making routes. More information on this is included in an earlier blog post.

Our analysis of the recommendations for improvement under the governance and project control theme strongly resonate with Audit Scotland’s Principles for a digital future. Specifically the principles of ‘active governance providing appropriate control and oversight’ and ‘clear leadership that sets the tone and culture and provides accountability’. Public sector organisations are encouraged to consider these principles before embarking on digital projects or programmes and throughout the project lifecycle.

Recommendations for improvement focus on:

Active and appropriate governance arrangements

  • governance structures should be tailored to meet the needs of the programme or project, be fully documented and approved. Developing a roles and responsibility (RACI) matrix is often identified as a helpful tool in clarifying roles and responsibilities
  • there should be an explicit, documented understanding of the relationship between the different structures in operation and their respective responsibilities and authority (e.g. design authority, programme board).
  • governance boards need to have appropriate authority to discharge their functions. It should be explicit what delegations boards have, and which decisions need to be escalated, including to who and how that escalation is managed
  • those represented on governance boards need to have a clear understanding of their remit and responsibility and have the authority to fulfil that. Several recommendations draw out the need to have appropriate representation from the business on boards
  • governance boards should be action-orientated and plan-based to enable them to be explicitly clear on focus and prioritisation
  • governance arrangements (including terms of reference for boards and membership) should be live, with effectiveness reviewed regularly to ensure it’s the ‘right board, right people, right decisions’. Changes to governance should be introduced as needed throughout the lifecycle of the programme or project to respond to requirements

Decision making

  • governance boards need robust information, including options appraisal and risk analysis, to support decision making and exercise control
  • effective reporting mechanisms, providing the right information at the right time for decision makers, need to be in place. Several recommendations highlight the need for standardised highlight reporting including Red/Amber/Green status, risks and issues and actively using programme documentation (e.g. critical path, deliverables) to report progress against
  • boards need a schedule for the decisions that need to be made. Boards must understand the implications of decisions not being made in line with the schedule
  • decision making should be included on the critical path
  • decision making around project closure needs to be planned for and built into the critical path
  • a robust system to record decisions should be put in place, there should be a single source of truth

Project Control

  • a robust Project and Programme Management regime needs to be in place, tailored to the needs of the project
  • a mature structure and delivery methodology, underpinned with detailed and up-to-date project management documentation will enable effective project control (e.g. project plan, critical path, dependency map)
  • have in place clear planning assumptions and decision-making frameworks for specific areas
  • review the role of the Project Management Office (PMO) to ensure it is adding value and exercising control.
  • there should be clear and agreed criteria against which decisions can be taken on whether to move to the next phase of work

Change control

  • change control processes should be in place. These should document how requests will be managed and be proportionate to the complexity of the programme
  • where a change control board is established, it should have clear accountability and decision-making parameters

To help others improve delivery of digital projects the Digital Assurance Office are sharing insights from assurance and working with organisations who have had assurance to share their experiences from delivery. If you want to get involved – or have thoughts on what insights would be helpful to share – contact us at

The Programme and Project Management Centre for Expertise provide advice and support on programme and project management and would welcome discussions with projects looking to develop proportionate governance structures.  The Scottish Government programme and project management principles are available and apply to any project of any size.

The Infrastructure and Projects Authority module on Governance covers the why and the how of embedding proportionate project governance.

For expert guidance to help you deliver high quality digital services visit the Digital Scotland Service Manual.

The Scottish Digital Academy is the public sector centre of expertise for digital capability and can provide information, advice and guidance on developing digital, data and technology skills to support transformation.

The Digital Scotland Service Standard Criterion 14, Ensure Sponsor Acceptance, provides guidance and links to more information around agile governance.

The Social Security Programme have case studies on ‘Release Management’ and  ‘Service Manager: what it took’ which relate to the themes set out above, particularly robust governance structures and decision making. Contact the Our Story team to find how to access this case study.

Tags: , , ,


Leave a comment

By submitting a comment, you understand it may be published on this public website. Please read our privacy policy to see how the Scottish Government handles your information.

Your email address will not be published. Required fields are marked *