Search

High

Cost, value and revenue are realistically estimated, forecast and monitored continuously. The project is at, or ahead of, budget

Off

Consider privacy, consent, and control: Safeguard user data by adhering to the Australian Privacy Principles and the Privacy Act (1988). Always obtain explicit, informed consent before collecting a user’s data and provide a means to update or delete it. Allow users to report inaccurate data and respond with how it has been rectified. Notify users of their own responsibilities to protect their data, such as not to share their password with others.
Eliminate ambiguity in your user interface: Provide validating feedback and progress tracking as users interact with your service. Design to eliminate the need for error messages in the first place; make them understandable and actionable where they remain. Tell users what information they need before they start a task and, where appropriate, allow them to pause and resume at their own pace.

Medium high

Cost, value and revenue are forecast and monitored regularly. The project is at, or ahead of, budget.

Off

Medium

The project is at, or ahead of, budget. Cost is monitored regularly.

Off

Medium low

The project is behind budget. Cost is monitored regularly.

Off

Low

Cost is not actively monitored. The project is over budget or there is no certainty of current status.

Off

Cost, value and revenue are realistically estimated, forecast and monitored continuously. The project is at, or ahead of, budget
Cost, value and revenue are forecast and monitored regularly. The project is at, or ahead of, budget.
The project is at, or ahead of, budget. Cost is monitored regularly.
The project is behind budget. Cost is monitored regularly.
Cost is not actively monitored. The project is over budget or there is no certainty of current status.

Scope and change control

The abstract nature of digital solutions can make scope management more difficult than for projects with tangible outputs. Robust scope management and change control processes are needed that drive management action.

Scope definition should include data management and conversion, integration and interfacing, reporting, change management, as appropriate.

During scoping, projects should engage in rigorous up-front analysis about overarching design, consideration of options, critical interdependencies and business problem identification.
This is of particular importance when using agile in larger projects where these concerns can be overlooked.

Processes need to account for changes in business requirements due to shifting business needs or discovery of misconceptions, reflecting budget cuts in scope changes, and highlighting reductions in scope to meet time or cost constraints.

Projects that push scope into subsequent tranches, even through official change processes, can impact upon delivery confidence.

DCA tolerances

High

A clear scope with measurable acceptance criteria, aligned to business need, refined through recent consultation with users, suppliers, project team and senior management, including benefits realisation activities. Change is minimal and well controlled.

Off

Medium high

A clear scope with acceptance criteria aligned to business need, developed through consultation with users, suppliers, project team and senior management, including benefits realisation activities. Change control may be slow to reflect implications of change across project.

Off

Medium

A scope referencing business need, developed with some consultation with users, suppliers, project team and senior management. Change control processes exist but is incomplete or needs improvement. Movement of scope between tranches is reflected in adjusted budget and schedule.

Off

Implement security measures

Secure by design: Use the Information Security Manual, the Essential Eight and other resources from the Australian Cyber Security Centre to thoroughly assess your service’s threats, posture and protections. Plan for which requirements and system hardening will support your service throughout design, build, operation and decommissioning.

Off

Medium low

A scope that lacks sufficient definition or clarity on acceptance criteria. Informal or undocumented change control.

Off

Low

Absence of scope definition or acceptance criteria. Change is not being controlled or substantial scope is being moved to subsequent tranches.

Off

A clear scope with measurable acceptance criteria, aligned to business need, refined through recent consultation with users, suppliers, project team and senior management, including benefits realisation activities. Change is minimal and well controlled.
A clear scope with acceptance criteria aligned to business need, developed through consultation with users, suppliers, project team and senior management, including benefits realisation activities. Change control may be slow to reflect implications of change across project.
A scope referencing business need, developed with some consultation with users, suppliers, project team and senior management. Change control processes exist but is incomplete or needs improvement. Movement of scope between tranches is reflected in adjusted budget and schedule.
A scope that lacks sufficient definition or clarity on acceptance criteria. Informal or undocumented change control.
Absence of scope definition or acceptance criteria. Change is not being controlled or substantial scope is being moved to subsequent tranches.

Risk management

Risk management practices are reflected throughout the other categories, however delivery confidence can be improved with evidence of proactive risk management, clear and appropriate ownership of risk and active management of issues.

Confidence is impacted where risk management is treated exclusively as a compliance exercise, where risk controls do not materially reduce risk or where there is blame and confusion result from risks being triggered.

DCA tolerances

High

Risks are actively discussed and managed in governance forums and aligned with the risk register. Ownership of risk and related activity is clear. Controls are effective.

Off

Medium high

There is a sufficient understanding and reporting of the material risks impacting the project.

Off

Medium

Risk management is a compliance activity. There is limited understanding and awareness of the key risks impacting the project.

Off

Medium low

There are significant risks and issues that are not adequately controlled or reported.

Off

Low

There is minimal understanding of the key risks, there are significant issues impacting project delivery and finger pointing on who is responsible.

Off

Secure by design: Use the Information Security Manual, the Essential Eight and other resources from the Australian Cyber Security Centre to thoroughly assess your service’s threats, posture and protections. Plan for which requirements and system hardening will support your service throughout design, build, operation and decommissioning.

Risks are actively discussed and managed in governance forums and aligned with the risk register. Ownership of risk and related activity is clear. Controls are effective.
There is a sufficient understanding and reporting of the material risks impacting the project.
Risk management is a compliance activity. There is limited understanding and awareness of the key risks impacting the project.
There are significant risks and issues that are not adequately controlled or reported.
There is minimal understanding of the key risks, there are significant issues impacting project delivery and finger pointing on who is responsible.

Scope and change control

DCA tolerances

Risk management

DCA tolerances

Connect with the digital community