Project Monitoring & Controlling

Project Monitoring & Controlling Objectives

• Understand the purpose of monitoring and controlling in project management, specifically within automobility cybersecurity.
• Apply key tools and techniques to manage schedule, budget, quality, and scope.
• Implement monitoring and controlling plans aligned with cybersecurity project goals.
• Integrate automotive industry standards like ISO/SAE 21434, UNECE WP.29, PMBOK, and ISO 31000.

Overview of Project Monitoring and Controlling

• Project work keeps the project team focused and project activities running smoothly. This includes but is not limited to:
  • Managing the flow of existing work, new work, and changes to work;
  • Keeping the project team focused;
  • Establishing efficient project systems and processes;
  • Communicating with stakeholders;
  • Managing material, equipment, supplies, and logistics;
  • Working with contracting professionals and vendors to plan and manage procurements and contracts;
  • Monitoring changes that can affect the project; and
  • Enabling project learning and knowledge transfer.

Overview of Project Monitoring and Controlling

• Definition: Continuous process to track, review, and regulate project progress and performance.
• Goal: Ensure project aligns with planned scope, schedule, and budget while mitigating risks.
• PMBOK Integration: Part of the Project Execution Process Group and Knowledge Areas (Cost, Quality, Risk, Scope, and Integration Management).
  • Monitoring and Controlling Process Group:
    • Those processes required to track, review, and regulate the progress and performance of the project.
    • Identify any areas in which changes to the plan are required; and initiate corresponding changes.

Overview of Project Monitoring and Controlling

2.5.7 MONITORING NEW WORK AND CHANGES

• “In adaptive projects, there is an expectation that work will evolve and adapt. As a result, new work can be added to the product backlog, as needed. However, if more work is added than is being completed, or if the same amount of work is added that is being completed, the project will continue without end. *The project manager works with the product owner to manage expectations around adding scope, the implications to the budget, and the availability of project team members**. The product owner prioritizes the project backlog on an ongoing basis so that high-priority items are completed. If the schedule or budget is constrained, the product owner may consider the project done when the highest priority items are delivered”.*

Source: PMBOK 7th Edition

Frameworks and Standards in Monitoring and Controlling

• ISO/SAE 21434: Road vehicles—Cybersecurity engineering. Essential for cybersecurity risk management throughout the vehicle lifecycle.
• UNECE WP.29: Automotive regulatory requirements on cybersecurity and software updates.
• ISO 31000: Framework for risk management; applicable to project risks in automobility.
• PMBOK: Guide for monitoring and controlling processes across project phases.

Key Components of Monitoring and Controlling

• Schedule Control: Regularly update and review the project schedule.
• Cost Control: Monitor project budget and manage any cost variances.
• Quality Control: Verify project deliverables meet specified quality standards.
• Risk Management: Identify, analyze, and mitigate risks.
• Scope Verification: Ensure project outputs align with project scope.

Key Components of Monitoring and Controlling

4.2.7.4 Process Groups

• “Monitoring and Controlling. Those processes required to track, review, and regulate the progress and performance of the project; identify any areas in which changes to the plan are required; and initiate the corresponding changes”.

  4.6.3 PLANS

• “Schedule management plan. This plan is a component of the project or program management plan that establishes the criteria and the activities for developing, monitoring, and controlling the schedule”.

Source: PMBOK 7th Edition

Monitoring and Controlling Process Steps (PMBOK)

2.2.1 PROJECT TEAM MANAGEMENT AND LEADERSHIP

• “Project management entails applying knowledge, skills, tools, and techniques for management activities as well as leadership activities. Management activities focus on the means of meeting project objectives, such as having effective processes, planning, coordinating, measuring, and monitoring work, among others. Leadership activities focus on people. Leadership includes influencing, motivating, listening, enabling, and other activities having to do with the project team. Both are important in delivering the intended outcomes”.

Source: PMBOK 7th Edition

Monitoring and Controlling Process Steps (PMBOK)

2.3.1 PROVIDE OVERSIGHT AND COORDINATION

• “People in this function help the project team achieve the project objectives, typically by orchestrating the work of the project. The specifics of how this function is carried out within the project team can vary among organizations, but can include leading the planning, monitoring, and controlling activities**. In some organizations, this function may involve some evaluation and analysis activities as part of pre-project activities. This function includes monitoring and working to improve the health, safety, and overall well-being of project team members”.

Source: PMBOK 7th Edition

Monitoring and Controlling Process Steps (PMBOK)

1. Collect Performance Data: Gather metrics on project performance (e.g., cost, time, and scope).
2. Analyze Performance Data: Use analysis tools to understand variances and trends.
3. Report Performance: Share performance updates with stakeholders.
4. Implement Corrective Actions: Make adjustments to keep the project on track.
5. Continuous Improvement: Apply lessons learned for future project enhancements.

Monitoring and Controlling for Cybersecurity-Specific Risks

• Technical Risks: Regular vulnerability assessments, cybersecurity audits.
• Compliance Risks: Align with ISO/SAE 21434, UNECE WP.29 to ensure regulatory adherence.
• Legal Risks: Monitor legal requirements, data protection laws, and industry regulations.
• Emerging Threats: Incorporate threat intelligence updates and incident response planning.

Creating a Monitoring and Controlling Plan

1. Define Metrics and KPIs: Choose relevant indicators (e.g., time variance, cost variance, defect rate).
2. Schedule Regular Reviews: Establish review cadence for cost, schedule, quality, and risk.
3. Risk Management: Integrate ISO 31000 guidelines; include risk identification, assessment, and mitigation strategies.
4. Communication Plan: Ensure timely and transparent updates to stakeholders.
5. Adjust Plan as Necessary: Be responsive to new cybersecurity threats and regulatory updates.

Tools for Monitoring and Controlling

• Gantt Charts: Track project progress visually.
• Earned Value Management (EVM): Measure project performance and progress.
• Dashboards and KPIs: Use dashboards in tools like Microsoft Project, Jira, or Trello to monitor real-time metrics.
• Risk Matrices: Assess and prioritize risks (align with ISO 31000).

Tools for Monitoring and Controlling

• Earned Value Management (EVM) is a project management technique that integrates cost, schedule, and scope to assess project performance and progress.
• By comparing the amount of work planned with the work completed and the costs incurred, EVM helps project managers make data-driven decisions to keep the project on track.
• EVM provides valuable insights into project health by calculating performance indices and variances that signal whether the project is ahead, on schedule, or behind in terms of time and budget.

Earned Value Management (EVM)

• An EVM is a project management technique that integrates cost, schedule, and scope to assess project performance and progress.
• By comparing the amount of work planned with the work completed and the costs incurred, EVM helps project managers make data-driven decisions to keep the project on track.
• EVM provides valuable insights into project health by calculating performance indices and variances that signal whether the project is ahead, on schedule, or behind in terms of time and budget.

Earned Value Management (EVM)

To develop an EVM system, start with the following steps:

1. Define Project Scope and Create a Work Breakdown Structure (WBS):
   • Break down the project scope into smaller, manageable work packages in a WBS, ensuring that each task or deliverable is well-defined and measurable.
2. Estimate Costs for Each Task:
   • Assign budgeted costs (or Budget at Completion, BAC) for each work package. These costs represent the total planned value for the work.
3. Establish a Project Schedule:
   • Develop a project timeline, identifying start and end dates for each work package. This schedule serves as the baseline for tracking progress.
4. Set Performance Measurement Baseline (PMB):
   • The PMB is the combined baseline for scope, schedule, and cost, against which project performance will be measured. It includes Planned Value (PV), Earned Value (EV), and Actual Cost (AC).
5. Plan Reporting Periods and Collect Data:
   • Set intervals for reviewing project performance (e.g., weekly or monthly) and gather data at each reporting period to analyze progress.

Earned Value Management (EVM)

Key Metrics:

1. Budget at Completion (BAC):
   • The total budgeted amount for the entire project.
2. Planned Value (PV):
   • The amount of work scheduled to be completed at a specific time. Also known as the Budgeted Cost of Work Scheduled (BCWS).
3. Earned Value (EV):
   • The value of the work actually completed by the specified time. Also known as Budgeted Cost of Work Performed (BCWP).
4. Actual Cost (AC):
   • The actual costs incurred for the work performed by the specified time, also called the Actual Cost of Work Performed (ACWP).

Calculate Planned Value (PV)

To calculate Planned Value (PV), take the percentage of the project that was planned to be completed by a certain date and multiply it by the project’s total budget (BAC).

For example, if a project’s BAC is $100,000 and you expected to be 40% complete by a specific date, then:

PV= 40% ×100,000 = 40,000

This tells you that, by that date, you should have completed $40,000 worth of work according to the project schedule.

Calculate Earned Value (EV)

To calculate Earned Value (EV), take the percentage of the project that has actually been completed by a certain date and multiply it by the project’s total budget (BAC).

For example, if a project’s BAC is $100,000 and you expected to be 35% complete by a specific date, then:

EV= 35% ×100,000 = 35,000

This tells you that, as of this point in the project, you’ve completed $35,000 worth of the total budgeted work.

Calculate Actual Value (AV)

This is the actual cost incurred for the work completed by a specific time.

There is no formula to calculate Actual Value (AV) because it is based on actual expenditure data collected from the project.

Calculating EVM Metrics

Cost Variance (CV):

• Measures cost efficiency by comparing Earned Value (EV) and Actual Cost (AC).
• Formula: CV = EV − AC
• Interpretation: If CV > 0, the project is under budget; if CV < 0, the project is over budget.

---

Schedule Variance (SV):

Measures schedule efficiency by comparing Earned Value (EV) and Planned Value (PV).

Formula: SV = EV − PV

Interpretation: If SV > 0, the project is ahead of schedule; if SV < 0, the project is behind schedule.

---

Cost Performance Index (CPI):

Indicates cost efficiency by showing the ratio of EV to AC.

Formula: CPI = EV / AC

Interpretation: CPI > 1 means the project is cost-efficient; CPI < 1 indicates cost overruns.

---

Schedule Performance Index (SPI):

Indicates schedule efficiency by showing the ratio of EV to PV.

Formula: SPI = EV / PV

Interpretation: SPI > 1 means the project is ahead of schedule; SPI < 1 means it’s behind schedule.

---

Estimate at Completion (EAC):

Forecasts the total cost of the project at completion, based on current cost performance.

Formula: EAC = BAC / CPI

---

Estimate to Complete (ETC):

Estimates the remaining cost to finish the project.

Formula: ETC = EAC − AC

Evaluating EVM Results

Once EVM metrics are calculated, they provide insights into the project’s current status and future performance:

• Cost Analysis: Examine CPI to determine if cost efficiencies are being achieved. Consistently low CPI suggests budget issues, prompting the need for cost-cutting or reassessment of project resources.
• Schedule Analysis: Use SPI and SV to assess if the project is on schedule. If SPI remains low over several periods, adjustments to the timeline or resource allocation may be necessary.
• Trend Analysis: Track CPI and SPI over time to understand project trends. Improvement or deterioration in these indices can help predict project health and guide corrective actions.
• Forecast Accuracy: Regularly update EAC and ETC to provide realistic estimates based on current performance trends, enabling stakeholders to make informed decisions.

Example Scenario 3

Suppose a project has a BAC of $100,000, with the following data collected at a specific reporting period:

• Planned Value (PV): $40,000
• Earned Value (EV): $35,000
• Actual Cost (AC): $30,000

Example Scenario 4

Calculate and interpret:

• CV = 35,000 − 30,000 = +5,000 (under budget)
• SV = 35,000 − 40,000 = −5,000 (behind schedule)
• CPI = 35,000 / 30,000 = 1.17 (efficient use of costs)
• SPI = 35,000 / 40,000 = 0.875 (project is behind schedule)

This analysis shows that while the project is currently under budget, it is lagging in terms of schedule, highlighting the need for schedule adjustments to meet the timeline.

Monitoring and Controlling in Waterfall

• Waterfall Approach:
  • Structured phases with set monitoring intervals.
  • Emphasis on scope, time, and cost baselines.
• Organized in sequential phases - Requirements, Design, Development, Testing, and Deployment.
• Monitoring and controlling are crucial to each phase to help ensure each phase is completed accurately before moving on to the next.
• Example Scenario
  • Imagine managing the development of an in-car navigation system for an automotive cybersecurity project. Total project budget is $250,000, with an estimated project timeline of 12 months.

---

1. Requirements Phase
   • Goal: Define clear requirements for the navigation system, including cybersecurity needs.
   • Monitoring and Controlling Activities:
     • Progress Tracking: Confirm that all requirements are documented and approved by stakeholders by a set date.
     • Milestone Reviews: Schedule regular check-ins to ensure requirements are well-defined, complete, and feasible within budget.
     • Change Control: If a new security requirement is added (e.g., compliance with ISO/SAE 21434), evaluate the impact on cost, schedule, and scope before approving the change.
   • Example Metric: Requirements Completion Percentage - Measure how many of the required features have been documented compared to the total.
2. Design Phase
   • Goal: Create technical designs for the navigation system that meet requirements and cybersecurity standards.
   • Monitoring and Controlling Activities:
     • Design Reviews: Conduct regular reviews to verify that designs align with both functional and cybersecurity requirements.
     • Cost and Schedule Variance Analysis: Track the time and budget spent on the design against the original plan to detect any early deviations.
     • Risk Assessment: Assess potential cybersecurity design risks, document them, and develop mitigation plans.
   • Example Metric: Design Compliance Rate - Track the percentage of completed designs that meet cybersecurity compliance standards.
3. Development Phase
   • Goal: Build the navigation system according to design specifications.
   • Monitoring and Controlling Activities:
     • Earned Value Analysis (EVA): Use metrics like Planned Value (PV), Earned Value (EV), and Actual Cost (AC) to track cost and schedule performance.
     • Quality Control Checks: Regularly assess code quality and ensure security features are correctly implemented.
     • Scope Control: Review any new feature requests for potential impact on project scope, cost, and timeline.
   • Example Metric: Cost Performance Index (CPI) and Schedule Performance Index (SPI) = Use these indices to determine if the project is staying within budget and on schedule.
4. Testing Phase
   • Goal: Verify that the navigation system works as intended and meets cybersecurity requirements.
   • Monitoring and Controlling Activities:
     • Defect Tracking: Monitor the number of defects, especially those affecting security, and track how quickly they’re being addressed.
     • Variance Analysis: Compare testing progress and costs with planned values to spot any schedule or budget overruns.
     • Risk Log Updates: Document any new risks found during testing (e.g., a cybersecurity vulnerability) and adjust mitigation plans as needed.
   • Example Metric: Defect Density - Measure the number of defects found per module to ensure quality standards are met.
5. Deployment Phase
   • Goal: Launch the navigation system and verify that it meets all functional and cybersecurity criteria.
   • Monitoring and Controlling Activities:
     • Compliance Verification: Ensure that the final product complies with ISO/SAE 21434 and UNECE WP.29 standards.
     • Stakeholder Approval: Confirm stakeholder sign-off and document any lessons learned for future projects.
     • Closeout Report: Document final performance metrics and variance analysis results for cost, schedule, and quality.
   • Example Metric: Stakeholder Satisfaction Rate - Conduct a survey or gather feedback from stakeholders to measure the success of the final deployment.
   • Example Outcomes:
     • By rigorously applying monitoring and controlling, the project is within the $250,000 budget, identify a cybersecurity vulnerability in the Testing phase, and implement a fix within the scheduled timeframe.
     • At the end of the project, the CPI is 1.02 (indicating cost efficiency) and SPI is 1.0 (indicating the project finished on schedule).
     • Compliance with ISO/SAE 21434 standards is verified, and stakeholders approve the final deployment, noting satisfaction with the adherence to budget and timeline.

Monitoring and Controlling in Agile

• Agile Approach:
  • Iterative process with frequent check-ins (sprints and retrospectives).
  • Emphasis on adaptability and constant feedback loops
• Project management is iterative, with work divided into cycles or “sprints” allowing for regular feedback and adjustments.
• Monitoring and controlling focuses on tracking progress, quality, and adaptability in each sprint, ensuring alignment with evolving requirements and stakeholder feedback.
• Example Scenario
  • Imagine an Agile project to develop a mobile app for in-car diagnostics in an automotive cybersecurity context. The project is budgeted at $150,000 and will be developed over six two-week sprints.

---

1. Sprint Planning and Backlog Management
   • Goal: Define what work will be done in the upcoming sprint and prioritize tasks based on user stories.
   • Monitoring and Controlling Activities:
     • Backlog Grooming: Prioritize tasks according to stakeholder input and ensure they align with cybersecurity and compliance requirements.
     • Sprint Planning Meetings: Break down each task for the sprint, estimate effort, and allocate resources.
     • Work Capacity Analysis: Ensure the team has the capacity to complete the planned tasks in the sprint.
   • Example Metric: Sprint Capacity Utilization - Track the total hours of tasks versus available team hours to ensure workloads are realistic.
2. Daily Standups and Progress Monitoring
   • Goal: Track daily progress, identify blockers, and keep everyone aligned on sprint goals.
   • Monitoring and Controlling Activities:
     • Daily Standup Meetings: Team members report on what they completed yesterday, their plan for today, and any issues they face.
     • Task Board Updates: Use a Kanban or Scrum board to visualize work-in-progress (WIP) and ensure tasks are moving forward.
     • Impediment Tracking: Log and address blockers immediately to avoid delays in sprint tasks.
   • Example Metric: Work-in-Progress (WIP) Limit - Monitor tasks in progress to ensure team members aren’t overcommitted, reducing the chance of burnout or bottlenecks.
3. Sprint Review and Demonstration
   • Goal: Review completed work, gather feedback from stakeholders, and identify areas for improvement.
   • Monitoring and Controlling Activities:
     • Sprint Review Meeting: Present completed features to stakeholders, with demonstrations showing how features meet cybersecurity requirements.
     • Acceptance Criteria Validation: Confirm that each user story or task meets defined acceptance criteria, especially for cybersecurity features.
     • Stakeholder Feedback: Collect feedback and adjust the backlog for the next sprint, adding new tasks if needed.
   • Example Metric: Acceptance Rate - Measure the percentage of tasks that meet acceptance criteria without needing rework.
4. Retrospective for Continuous Improvement
   • Goal: Reflect on the sprint process, identify areas for improvement, and implement changes to enhance team performance.
   • Monitoring and Controlling Activities:
     • Sprint Retrospective Meeting: Discuss what went well, what didn’t, and any improvements the team can make for future sprints.
     • Root Cause Analysis: Identify causes of issues that slowed progress (e.g., security requirements that weren’t fully defined) and make process adjustments.
     • Action Items for Process Improvement: Document specific changes to be implemented in the next sprint to address identified issues.
   • Example Metric: Improvement Rate - Track the number of action items resolved from retrospectives over time to measure continuous improvement.
5. Agile Metrics for Monitoring and Controlling
   • Goal: Use Agile-specific metrics to keep track of project health, budget, and schedule.
   • Monitoring and Controlling Activities:
     • Burndown Chart: Track the remaining work for the sprint to ensure the team stays on target to complete it.
     • Velocity Tracking: Measure the average amount of work the team completes per sprint to forecast future sprint capacity.
     • Earned Value Metrics (EVM): Adapt EVM to Agile by evaluating the budget based on completed story points (e.g., Earned Value for a sprint = Total budget × % of story points completed).
     • Risk Burndown Chart: Track the mitigation of cybersecurity risks over time to ensure high-priority risks are addressed early.
   • Example Metrics:
     • Sprint Burndown Rate - Visualize the team’s progress and identify potential risks of not completing the sprint.
     • Velocity - The average story points completed in previous sprints can predict future sprint output, helping manage stakeholder expectations.
   • Example Outcomes:
     • After six sprints, the project has met core requirements and prioritized cybersecurity features as outlined by stakeholders.
     • Adaptability to Changes: During Sprint 3, a new cybersecurity requirement was added to address a regulatory change. By adjusting the backlog, this requirement was completed in Sprint 4 with no impact on the schedule.
     • On-Track Budget: Through regular EVM analysis, the project remained within its $150,000 budget, with cost performance indicators (CPI) showing an efficient use of resources.
     • Improvement Through Retrospectives: In Sprint 2, the team identified that unclear requirements for cybersecurity features were slowing development. As an improvement, they began inviting cybersecurity experts to Sprint Planning sessions, which improved accuracy in subsequent sprints.
     • Consistent Quality: The acceptance rate metric remained high (above 90%), indicating that most tasks met defined quality standards without significant rework.
     • Risk Management: Using a risk burndown chart, the team tracked and mitigated high-priority cybersecurity risks by Sprint 5, improving stakeholder confidence in the product’s security.

Summary and Key Takeaways

• Monitoring and controlling are essential for maintaining project alignment with objectives.
• Effective monitoring involves using the right tools, techniques, and frameworks (PMBOK, ISO standards).
• A proactive approach to managing legal, technical, and compliance risks enhances project success.

References and Further Reading

• PMBOK® Guide – Project Management Institute
• ISO/SAE 21434: Road Vehicles – Cybersecurity Engineering
• ISO 31000: Risk Management – Guidelines
• UNECE WP.29: Cybersecurity and Software Updates Regulations