By Gabriela Mayer

Introduction

In recent years, there has been a sharp increase in companies that have been driven to expand their operations or migrate completely to the digital world, especially during and after the COVID-19 pandemic. The Annual Survey on the Brazilian IT Market and Use in Companies, with reference to 2021, published by the Center for Applied Information Technology (FGVCia) of the São Paulo School of Business Administration (FGV EAESP), reveals the anticipation of digital transformation processes equivalent to what was expected for a period of four years.

As a consequence of these demands for action, which in many cases may have been implemented without proper planning due to the need for accelerated change, there has also been a considerable increase in the number of security breaches reported according to several surveys, including the articles “Impact of COVID-19 on Cybersecurity” and “Cyber attacks on companies increase 300% in the pandemic”, published by Deloitte and EY, respectively.

In addition to the operational and financial impacts, and even before digital transformation projects were initiated or accelerated during the pandemic, research conducted by the Project Management Institute (PMI) already demonstrated the need to improve business results through projects. The 8th global survey on project management, “PMI’s – The Pulse of Profession” published by the institute in 2016 with the theme “The High Cost of Low Performance”, shows that USD 122 million is wasted for every USD 1 billion invested, due to insufficient project performance. The same research shows that projects are 2.5 times more successful, i.e. business objectives are achieved, when proven project management practices are adopted, and that such projects spend thirteen times less money.

The survey also presents data on the recognition of the importance of the strategic role of a corporate Project Management Office (PMO) and its alignment with the company’s strategy. The correct combination and focus between appropriate project management practices, leadership and strategic business management, aspects of the “PMI Talent Triangle”, results in 40% more projects achieving business objectives.

Image 1. PMI Talent Triangle (Source: Project Management Institute. The Pulse of Profession – The High Cost of Low Performance. PMI: Global Operations Center; 8th Global Project Management Survey, 2016, p.2)

Although it’s true that observing the technical aspect of project management alone is no longer enough to guarantee competitiveness in today’s global economy, this article sets out to explore PRINCE2, one of the various reference models for process-based project management, based on consideration of the existence of a project environment that must be adequately controlled in the organization. It will also answer the following questions: what can be done to manage the project environment more assertively, so that the success rate of the portfolio is as high as possible? And, based on our experience as a company specifically in the cybersecurity area that provides and consumes information security solutions, can we say that the use of this project management methodology increases the delivery of value through products and/or services to our clients, regardless of their area of activity? 

What is a project?

There are many definitions in books, studies, frameworks, standards and interpretations, from the most diverse and relevant sources, about what a project is. To support this assertion, we present the definitions contained in three of the main reference sources in project management: 

  1. A project is a temporary organization that is created for the purpose of delivering one or more business products in accordance with an agreed business case [AXELOS. Managing Successful Projects with PRINCE2. Sixth edition. Norwich: TSO, The Stationery Office, 2017, p. 8.].
  2. A temporary effort undertaken to create a unique product, service or result [PMBoK – PMI. PMBoK Guide. Newtown Square: Project Management Institute, Inc.; Seventh edition, 2021, p. 20.].
  3. A single process consisting of a set of controlled and coordinated activities, with start and completion dates, carried out to achieve an objective in accordance with specified requirements, including time, cost and resource constraints.” [ABNT. NBR ISO 9000 Quality management systems – Fundamentals and vocabulary. Rio de Janeiro, 2015, p. 43].

Despite the apparent differences, the three quotes presented have in common the idea that a project is something temporary, involving the coordination of joint efforts (parallel or not) and whose output is the creation and/or delivery of a unique product/service. For the purposes of this article, we’ll adopt the definition presented in PRINCE2 as our main reference.

Once the concept of a project has been defined, it’s understood that the main delimiters in project management are: time, scope and cost. These three aspects are also known as triple constraints and are interdependent, meaning that if there is a change in one of the aspects, this alteration will consequently have an impact on at least one of the other two, and sometimes both. In between, there is a fourth aspect – quality – which will also be directly impacted by any change made.

At this point, it’s important to make an additional clarification, since the triple constraint is inherent in both agile and traditional management projects. The difference lies in which of the three aspects are “fixed”, in quotation marks, since any project can be subject to change and renegotiation. In projects whose scope can be considered well-defined and therefore fixed, traditional management will generally be adopted. For projects whose scope cannot be well defined, costs and deadlines will be well defined and therefore fixed, and agile management will generally be used. Without prejudice to the scope of the management style, agile practices and techniques can be adopted in either case.

Image 2 – Visual representation of the triple constraint in projects (Source: Author)

What is a project in a controlled environment?

The term “controlled environment” is commonly used in industries and research laboratories. These are segregated environments where important elements such as ambient temperature, pressure, humidity and other factors are controlled for the development of products and studies.

When we talk about a project in a controlled environment, we understand this to mean that it – the environment – has well-defined and known activities and phases, i.e. a well-defined scope, which makes it easier to understand and predict the results and deadlines required for execution within the desired quality standards. These are projects that resemble business processes through repetition, such as activating the same service for several different clients or constructing a building, for example. However, although the projects are similar, each client and context has its own particularities, which makes each project unique.

In a controlled environment, we have a certain degree of predictability when it comes to essential project management issues such as the execution structure to be followed, but this is no guarantee that the project can go ahead without proper monitoring by a project manager.

The project manager’s daily concerns are: identifying and controlling the scope, defining roles and responsibilities, managing changes and risks, assertive and noise-free communication between stakeholders, managing expectations, managing conflicts, managing costs, as well as documentation that is kept up to date throughout the project and, of course, creating a schedule that will be monitored and, most likely, altered during a project.

How is a project managed in a controlled environment?

First of all, project management should be considered a necessity and not a choice, especially when it comes to companies focused on providing services and/or development (of products and/or services). In these cases, adopting good project management practices can be the difference between a successful project and a failed one. There are various methodologies, frameworks, standards, good practices and certifications available on the market for this purpose, such as the PMBOK Guide, PRINCE2, Scrum, Extreme Programming and Six Sigma. These are some of the best known and most widely used methodologies.

The focus of this publication is not to present, in detail, the pros and cons of each of these tools mentioned; the definition of the methodology or good practice must take into account the type of project and the organizational and business context in which the project is inserted. For comparison purposes, the table below gives a brief overview of two of the best-known and most widely used project management tools in the world: the PMBoK Guide and PRINCE2.

Table 1. Comparison between PMBOK and PRINCE2 (Source: Author)

The PMBoK Guide, until its sixth edition, always had a prescriptive and process-based approach to the adoption of its good practices, as it was a knowledge base that provided guidance but didn’t explain the necessary steps implicitly. In its latest revision, which resulted in the seventh edition published in 2021, the changes were drastic and its approach became adaptive and based on performance domains. As can be seen in the table above, the structure of the PMBoK was similar to that of PRINCE2. It’s notable that in the seventh edition, the PMI guide brings with it the addition of “The Project Management Standard”, which for the first time separates the ANSI standard from the guide.

Taking into account all the concerns of a project manager mentioned above, it can be seen that both the PMBoK Guide and PRINCE2 can be excellent guides in managing the challenges of each project. However, while the PMBoK underwent a profound and sudden change in its entire structure to adapt to the current project management scenario, PRINCE2 maintained its standard of excellence, gradually adapting with each new edition released. As a result, it has established itself worldwide as a reliable project management method in a controlled environment.

From now on, as stated in the introduction, this article will explore the PRINCE2 approach and how this methodology can help find the answers to our initial questions.

Introduction to Prince2

Prince2 – Projects in Controlled Environments, version 2 – is a project management methodology structured in a generic way, so it can be applied to all types of business, regardless of size, type, area of operation and/or geographical restrictions.

Prince’s origins take us back to the now-dissolved Central Computer and Telecommunications Agency (CCTA), which was a British government agency responsible for supporting government departments when it came to IT and telecommunications.

The following image shows a brief historical summary of the evolution of PRINCE2 over the years.

Image 3 – Evolution of PRINCE2 over the years (Source: Author)

Since 2013, PRINCE2 has belonged to AXELOS Ltd., which manages the training centers and certification of professionals in this methodology and many others in various fields of knowledge. It’s estimated that there are more than 1 million certified professionals in more than 150 countries, with Europe, the Middle East and Asia being the regions where the number of certified professionals has grown the most.

PRINCE2 is a methodology based on processes and governance, whose aim is to guide us through project management and whose differential is that it is completely adaptable and flexible to suit any type of business. The only non-negotiable point in the methodology is that the principles are not fully adopted. In short, either you follow all the principles in full or you don’t actually adopt the methodology. These principles, as well as the rest of the structure, are explained below.

PRINCE2 structure

PRINCE2 is made up of 4 integrated and complementary elements. These are: principles, themes, processes and suitability for the project and/or project environment.

Principles

The principles are the basis of the entire PRINCE2 structure. They are the requirements and good practices that will determine whether the project is actually being managed. There are seven principles:

  • Continued business justification: with each necessary change and/or each change in the stage of the project, it should be checked that the motivation for carrying out the project is still valid. If the scope changes or the benefits no longer make sense, the project should be closed.
  • Learning from experience: it’s necessary to look for lessons learned from similar projects that have been carried out previously in order to check for better routes and possible adaptations.
  • Define roles and responsibilities: these should be established before the project starts so that, from the outset, you know who is taking part in the project and, above all, who is responsible for each of the planned activities.
  • Focus on products: clearly and objectively define what the expected results will be and the minimum level of quality required to consider the project finished.
  • Manage by exception: the methodology provides the project manager with a certain amount of freedom to manage changes, as long as these changes do not exceed a previously agreed number, such as a percentage of spending allowed over and above what was initially planned. If the changes have a greater impact than the agreed tolerance, it’s said to be an exception and should be brought to the attention of the project board for action.
  • Manage by stages: the project should be divided into stages to make it easier to control. The more complex the project, the smaller the stage should be.
  • Adaptation to the project environment: you can, and should, adapt the methodology for use according to business needs, provided that, as mentioned above, you fully adopt these seven principles.

Themes

Themes, also known as knowledge areas, are the aspects of the project that must be continuously managed and dealt with during all phases of a project, from the conception of the project idea to its completion. PRINCE2 presents seven themes:

    • Business Case: this is the initial document of record for a project, which must remain up to date during all phases of the project, from the initial investment feasibility proposal to carry out the project, where the document will only be an outline, to the completion of the project, where the document will be more robust and detailed. It will serve as a basis for assessing whether the project remains viable, desirable, achievable and aligned with the company’s objectives. It should be used by the board for decision-making.
    • Organization: the organization of a project must be carried out carefully and calmly. This is when the structure of the project will begin to be defined, as well as the existing roles and responsibilities, such as the executive board, suppliers, technical leaders, etc. It’s important to note that PRINCE2 describes the requirements for temporary allocation, which is very common in matrix organizational structures.
    • Quality: quality management helps to define the expectations regarding the benefits expected from the completion of the project, as well as ensuring that these expectations have been met. PRINCE2 focuses on the product, so quality is a crucial point for the methodology.
    • Plans: this is a very complex and robust topic, but it can be divided into project planning, phase planning, exception planning and specialist team planning. The individual plans help in the development of the execution plan, both initially and in the control and management of the project, and should be followed at each change of project phase. With this topic, you can answer several questions, including: what is needed? How will it be done? Who will do it? How much will it cost? What quality is required?
    • Risks: risk management deals with the identification, analysis/evaluation and control of the uncertainties to which the project may be subject. It’s a study that must be carried out throughout the project’s life cycle and must be constantly updated, just like the business case.
    • Changes: PRINCE2 interprets changes in planning as inevitable, but they must be dealt with formally. It’s recommended that a process be established to control these changes and thus standardize the way in which these requests reach the project manager. Every request for change must be recorded, analyzed and its impact on the project measured before the request is accepted or not. It should be remembered that the more changes a project undergoes, the further away we get from the original scope.
  • Progress: this topic helps us to control the project, analyzing performance indicators, updated status, evaluating the deliveries that are being made, to understand possible delays and, if necessary, take the appropriate actions to keep the project on schedule. The main concern here is to ensure that the project is on schedule and on target.

Processes

PRINCE2 also has seven processes, a progression of sequential activities from project conception through each stage of a project’s life cycle. Each process has a checklist of recommended activities for execution, products and related responsibilities. They are: Starting up a Project, Directing a Project, Initiating a Project, Controlling a Stage, Managing Product Deliver, Managing a Stage Boundary and Closing a Project.

  • Starting up a Project: is a process of shared responsibility (project manager and executive level) and is known as pre-project activities. Here the purpose is to ensure that the requirements for initiation are established and that the project is worthwhile.
  • Directing a Project: is a process for which the project board is responsible. It works from the start of the project to the end, so that the board makes key decisions and delegates control and management to the project manager.
  • Initiating a Project: is the process of defining the project’s product, product quality, project deadline, costs, risk analysis and resource commitment, with a view to understanding the work that will need to be done before significant financial contributions are made.
  • Controlling a Stage: is the process in which the project manager assigns the activities that need to be carried out to their executors, monitors the results, deals with issues and takes action to ensure that the project remains within tolerance limits, as well as reporting on progress. This process is repeated at each stage of the project.
  • Managing Product Delivery: this is the process in which work packages are executed and products are created. The experts receive the work packages (they are like a list of tasks) from the project manager and send the completed and tested results back.
  • Managing a Stage Boundary: is the process that has two main functions, first to present and report the performance of the current stage to the project board and then to allow the project board to approve the start of the next stage.
  • Closing a Project: is the process that covers the work of formally closing the project and is therefore the last part of the last planned stage. Here a series of activities are suggested, such as the Final Project Report, Lessons Learned Report and evaluating or updating the Acceptance Record.

Suitability for the project environment

The fourth and final element that makes up the PRINCE2 methodology is adaptation to the project environment. As mentioned earlier, this methodology is known for being generic and can therefore be used in any business model, it just needs to be adapted to the organizational structure of each project.

It should be pointed out that some organizations want to build their own project management methodology, but this is usually a long-term goal, given the requirements for management maturity.

Image 4 – PRINCE2 structure (Source: AXELOS. Managing Successful Projects with PRINCE2. Norwich: TSO, The Stationery Office; Fifth edition, 2009, p.6.)

Initial results following the effective adoption of the PRINCE2 methodology at Tempest

In this first moment, we’ll briefly present the motivation for adopting the methodology, as well as the initial results obtained after adopting PRINCE2 as the base methodology for the company’s delivery-oriented project management office. Remember that, as stated in the introduction to this article, a more in-depth evaluation of our results will be presented at a later date.

The project management office was created after identifying the need for internal operational restructuring, with a focus on delivering contracted services and maximizing the delivery of value to clients. 

After this need was identified, a series of conversations and alignments with the areas followed, where, with the application of PRINCE2’s “Plans” theme, the result achieved was the mapping of the activities that were carried out in each type of project. Still following the same theme, we divided this series of activities into milestones to facilitate project control. After approval and further adjustments, we had the results of the first project templates, thus marking the beginning of the standardization of our processes. With this, we ended up creating an even more controlled environment, bringing improvements in the definition of the scope, as well as listed standard activities that cover everything from the first contact with the client to the conclusion of the client’s onboarding project. Despite this standardization, we understand that clients have their own particularities and customizations that are respected, which brings us back to the essence of a project, which is: something temporary, involving the coordination of joint efforts and whose output is the delivery of a unique (often customized) product/service.  

With the reformulation promoted through the project management office, we have seen expressive results being achieved on an ongoing basis, such as an increase of 52.14% in the number of projects executed being delivered within the timeframe initially planned with the client, compared to previous results, as a result of the practical application of PRINCE2’s “Progress” theme. This stability in the project environment also helped us to be able to identify the necessary allocations of human resources, as well as organizing these resources in such a way that we were able to maintain an average of 20 to 25 projects running in parallel, which is another result of adopting the project management methodology mentioned above, this time with the support of the “Organization” theme. With this structuring, when we compare it with previous years, we can see an increase of 77.42% in the number of projects implemented per year.

With regard to the customer experience and the achievement of business objectives, 8.45% of the procedural deviations identified internally are related to project management and, of all the complaints registered by customers during the period analyzed, only 1.13% were about projects managed by the project management office, a direct reflection of the management of the agreed business case and quality management.

In addition to all these tangible and intangible benefits, one of the main benefits of controlling the project environment is that we can learn from previous experiences and improve our processes and templates through continuous improvement.

Conclusion

Contrary to what many may think, project management is not just about creating and monitoring a schedule. This article seeks to present, in a brief and systemic way, the possibility of a process approach to managing the various nuances and the many details that must be observed.

We can say that project management in organizations is able to help stakeholders make important decisions, such as which initiatives should be prioritized, since in addition to digital transformation initiatives, organizations’ resources, whether financial or human, are always restricted. 

So, by returning to the initial questions of this research, PRINCE2 supports the management of the aspects of the triple constraint, as well as quality, risks and benefits in an explanatory, detailed and sequenced way, so that nothing is forgotten or neglected. The approach presented allows projects and portfolios to be aligned with strategic objectives and can therefore easily be integrated under umbrella frameworks as varied as TQM, ISO 20000, COBIT, ITIL, as well as being associated with other related frameworks for projects.

From our experience, the benefits obtained by Tempest right from the start of the reformulation obtained through the project management office were perceived and listed and we can say that, with PRINCE2’s focus on the product and, as service providers, there was a clear increase in the perception of delivering value to the customer in cybersecurity products and services.

Similarly, constant alignment with the business case ensures continuous analysis of whether the project remains viable, desirable and achievable. It’s also assessed whether it remains aligned with the company’s objectives, within a context of security programs that require ever-increasing investments and whose investments need to be assessed from a business perspective. This analysis is completely independent of the areas in which our clients operate; in fact, it’s a desirable and always pertinent analysis. The benefits of this alignment with the business case are mutual and allow the relationship between the provider and consumer of cybersecurity services to reach the level of a real partnership, far beyond the merely commercial aspect.

Finally, it’s important to remember that even if the project environment is considered a controlled environment, this should not be confused with a static environment. The same thought applies to the business environment, so carrying out the PDCA cycle (Plan, Do, Check and Act) for each project is considered an essential step for effective project management and provides continuous improvement in management processes.

References

ABNT. NBR ISO 9000 Sistemas de gestão da qualidade — Fundamentos e vocabulário. Rio de Janeiro, 2015.

ATAQUES cibernéticos a empresas aumentam 300% na pandemia. EY, 2021 Available at: https://www.ey.com/pt_br/agencia-ey/noticias/ataques-ciberneticos-a-empresas-aumentam-300-por-cento-na-pandem. Accessed on: April 07, 2024.

AXELOS. Managing Successful Projects with PRINCE2. Sixth edition. Norwich: TSO, The Stationery Office, 2017.

CICLO PDCA: o que é e como aplicar em projetos. MJV Innovation, 2022. Available at: https://www.mjvinnovation.com/pt-br/blog/ciclo-pdca/. Accessed on: February 23, 2023.

CICLO PDCA: uma ferramenta imprescindível ao gerente de projetos! Project Builder, 2021. Available at: https://www.projectbuilder.com.br/blog/ciclo-pdca-uma-ferramenta-imprescindivel-ao-gerente-de-projetos/. Accessed on: February 24, 2023.

CYBERSECURITY Project Management. Threat Intelligence, 2023. Available at: https://www.threatintelligence.com/blog/cybersecurity-project-management. Accessed on: April 05, 2024. 

JUMP in cyber attacks during Covid-19 confinement. Swissinfo, 2020. Available at: https://www.swissinfo.ch/eng/sci-tech/jump-in-cyber-attacks-during-covid-19-confinement/45818794. Accessed on: April 06, 2024.

MEIRELLES, Fernando S. Pesquisa do Uso da TI – Tecnologia de Informação nas Empresas. FGV EAESP. FGVcia ; 34ª Edição Anual, 2023.

MELO, Jefferson L. et al. Guia preparatório para a certificação prince2 foundation: gerenciamento de projetos em ambiente controlado. 2ª edição. Rio de Janeiro: SF Editorial, 2022.

MONNAPPA, Avantika. PMP® Vs PRINCE2® Vs CAPM®: Which One’s Right for You. Simplilearn, 2023. Available at: https://www.simplilearn.com/pmp-vs-prince2-vs-capm-course-article. Accessed on: January 31, 2023.

MONTES, Eduardo. Restrição Tripla em projetos. Escritório de Projetos, 2020. Available at: https://escritoriodeprojetos.com.br/restricao-tripla. Accessed on: February 24, 2023.

NABE, Cedric. Impact of COVID-19 on Cybersecurity. Deloitte. Available at: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html. Accessed on: April 05, 2024.

PANDEMIA acelerou processo de transformação digital das empresas no Brasil, revela pesquisa. FGV, 2022. Disponível em: https://portal.fgv.br/noticias/pandemia-acelerou-processo-transformacao-digital-empresas-brasil-revela-pesquisa. Accessed on: April 07, 2024.

PMBOK 7 vs PMBOK 6: Top Differences You Need to Know. Simplilearn, 2023. Available at:  https://www.simplilearn.com/pmbok-7-vs-pmbok-6-article. Accessed on: February 23, 2023.

PMI. PMBoK Guide. Newtown Square: Project Management Institute, Inc.; Seventh edition, 2021.

PMI. PMI’s – The Pulse of Profession – The High Cost of Low Performance. PMI: Global Operations Center; 8th Global Project Management Survey, 2016.

RONA, Petra. Cyber Security Program Management. LinkedIn, 2020. Available at: https://www.linkedin.com/pulse/cyber-security-program-management-petra-rona/. Accessed on: April 05, 2024.

TURLEY, Frank. Business Case. Prince2 wiki. Available at: https://prince2.wiki/. Accessed on: April 11, 2023.

ZERLANG, Jesper. The Pandemic’s Lasting Effects: Are Cyber Attacks One Of Them? Forbes, 2022. Available at: https://www.forbes.com/sites/forbestechcouncil/2022/07/20/the-pandemics-lasting-effects-are-cyber-attacks-one-of-them/?sh=18dd8f2a2b76. Accessed on: April 05, 2024.