Enterprise Portfolio Assurance
Financial Services — Building Society (mutual sector)
Enterprise Portfolio Assurance — Embedded, Three-Phase
22 Months

The Situation
A decade of constrained investment since the 2008/9 financial crash had left the Society's systems development unable to keep pace — efficiency targets, product launch speed, and the business's future footing were all at risk.
What the Board needed wasn't a single platform decision, but a wholesale change in how the organisation approached and delivered change itself: new platforms, new methodology, and a Programme Office capable of running it.
The Complexity
| Stage | Duration | Purpose | What was
tested |
Escalation
trigger |
| Stage 1 - Replacement v Rejuvenation Decision Assurance | 4 Mths | A focused, time-boxed assessment to give the Board a balance-of-risks view of the two options (replace vs. rejuvenate) | Systems analysis; the Society's resources, capability and capacity; project management maturity; a detailed risk assessment | Tiered escalation model (see below) |
| Stage 2 — Portfolio Re-Plan Assurance | 5 Mths | Validate the 3rd party's plans to deliver the agreed rejuvenation, and introduce embedded assurance and governance checkpoints across key programmes | Financial viability of the plans; resource capacity and capability; execution risks; proofs of concept; key programmes at governance checkpoints | Tiered escalation model (see below) |
| Stage 3 — Key Programme and Roadmap Assurance | 13 Mths | Provide assurance over three critical programmes and validate the revised change portfolio roadmap | Programme delivery reality vs reported status; roadmap validity; risks and issues, assessed against six categories: Governance, Planning, Technical & Business Solutions, People, 3rd Party, and Sustainability | Tiered escalation model (see below) |

Escalation Model
Applied consistently across all three stages (variable by phase, risk type, and impact detected):
- Programme operational risks → escalated to Programme Leads, communicated through Steering Groups
- Portfolio risks, dependencies and issues → raised, where appropriate, to the CRO, COO and CIO
- Overall risks to delivery, regulatory, cost and people** → raised both in counsel sessions and at Board meetings
- NED-instigated examinations of specific area → results communicated to the instigating NED and, occasionally, the Audit & Risk Committee
The Engagement
-
Engaged in an interim capacity by the Chief Risk Officer, working with his team, I provided embedded independent assurance across three consecutive phases of the Society's change portfolio over 22 months
-
From a focused, 6-week assessment of the core platform decision, through portfolio re-planning, to assurance of the critical programme roadmap.
-
Sponsorship of the third phase transferred from the CRO to the Chief Audit Officer at the halfway point, reflecting the shift toward embedded assurance outputs.
-
Throughout, the role was advisory only: assisting Programme Leads, CxOs and NEDs in understanding change risks across the portfolio and the detail of the programmes under embedded assurance, without direct decision-rights or spend authority.
CxO Counsel
Independent assurance meant more than a report to the Board.
- In Phase 1, it meant telling the CRO, COO and CIO that despite finely balanced options on paper, the Society's real capability and capacity to execute pointed to a structured, methodical rejuvenation — not the more ambitious path.
- In Phase 2, confidential sessions with CxOs and Programme Sponsors required blunt expectation-setting, pushing leaders to consider the portfolio's overall need rather than defend their own operational area.
- In Phase 3, a weekly cadence with programme leads and the CIO, COO and CRO, and monthly sessions with NEDs, kept hard truths on the table. One of those was delivered plainly: "There's a key broken relationship, it's now surfacing in meetings to the extent that the parties are in open conflict and leaving meetings." — the kind of dependency a RAG-rated status report would never show.
"There's a key broken relationship, it's now surfacing in meetings to the extent that the parties are in open conflict and leaving meetings"

KEY DECISION POINTS
See the summary below:
| Gate | Question | Decision that Resulted | Consequence
Avoided/ Enabled |
| Phase 1 | Replace or rejuvenate the core banking platform? | Options were finely balanced on paper; given the Society's actual capability and capacity to execute change, the recommendation was to rejuvenate the existing platform in a structured, methodical manner, explicitly cognisant of the risks and the limits of risk appetite — agreed in principle by the Board | Costs avoided by clarifying the decision before commitment |
| Phase 2 | Could the 3rd party's plans actually deliver the agreed rejuvenation — financially, operationally and at acceptable risk? | A new financial decision process was implemented (with the CFO); embedded assurance and governance checkpoints were introduced across key programmes; governance was overhauled | Costs reduced by validating portfolio solutions, cost rationale and Board decision data; enabled affordability checks and effective executive interventions in the planning process |
| Phase 3 | Are the three critical programmes and the revised roadmap sound enough to proceed? | A revised PMO — strengthened processes and augmented resource; a unified approach to identifying, managing and reporting change risks; a revised delivery strategy; a revised financial decisions process linked to the core financial management of the business; a revised internal assurance strategy following the approach adopted for the engagement | Proactive risk mitigation and communication cut decision lead time across the programmes by an average of 4 weeks, supported by well-understood and consistently applied processes; open visibility and discussion provided a platform for successful delivery |
Assurance Approach
Across all three phases, assurance was built on independent testing rather than reliance on reported status:
- in Phase 1, evaluating the underlying systems analysis, the Society's actual resource capacity and project management maturity rather than the readiness claims on paper;
- in Phase 2, validating proofs of concept and applying embedded assurance at governance checkpoints rather than accepting the change partner's re-plan concept at face value;
- in Phase 3, embedded assurance ran across key programmes and proofs of concept through a standing cadence — weekly sessions with programme leads and the CIO, COO and CRO, monthly sessions with NEDs — surfacing both the good and the bad across the portfolio rather than relying solely on programme-reported RAG status.
A consistent risk framework applied across all phases including embedded assurance: risks were categorised as
- Governance, Planning, Technical & Business Solutions, People, 3rd Party, and Sustainability — giving the Board, NEDs and Programme Leads a consistent lens across all three critical programmes rather than ad hoc, programme-specific reporting
Outcome
- An initial report was delivered to the Board within 6 weeks, clarifying the platform replacement/rejuvenation decision and avoiding costs on an uncommitted path.
- Combined with the cost reductions from validating Phase 2's portfolio solutions, cost rationale and Board decision data, this represented costs in the region of £2m avoided or reduced across the two phases.
- Phase 3 left the Society with a revised PMO — strengthened processes and augmented resource — a unified approach to identifying, managing and reporting change risks, a revised delivery strategy, a revised financial decisions process linked to core financial management, and a revised internal assurance strategy built on the engagement's own approach.
The result: decision lead time across three critical programmes cut by an average of 4 weeks, with well-understood, consistently applied processes and open visibility providing a platform for successful delivery.

The Shift
- From a decade of constrained post-crash investment leaving platforms, methodology and Programme Office capability behind →
- to a Board and NEDs making rejuvenation, re-plan and programme decisions on independently tested delivery reality, cutting decision lead time by a month on average.
Service
This reflects Enterprise Portfolio Assurance
If your Board is being asked to decide on the strength of internal or vendor analysis alone, embedded independent assurance closes that gap. If you're in the midst of change that isn't working, assurance will find the hidden risks. Or, if you want to set things upfrom the start with a validated business case...
Get in touch to discuss Enterprise Portfolio Assurance.