Once a project has been approved and funded, monitoring occurs at two levels. At the project level, the sponsor monitors on behalf of the board to ensure risk is being managed. At the organisational level the board monitors the sponsor to ensure (s)he is focussed on realising the promised benefits. The board must oversee some mechanism to monitor the sponsor because it would be a clear conflict of interest to have the sponsor monitor themselves. It would expose the organisation to the risk of having the sponsor change the success criteria if the project fails to deliver what was originally promised. This is the current practice and can probably only be overcome with this additional board level discipline. The advantage of having this mechanism is not that targets will cease to change, but that boards will have earlier warning and have more opportunities to cancel projects if circumstances change and make projects unviable. A board must have the discipline to intercede and cancel unviable projects because it is too much to expect a fired-up project sponsor to be objective enough to cancel his own project. The key governance question at an organisational level is 'Are the benefits on target or being realised?' This cannot be answered without some kind of monitoring mechanism (ref Q3) and related to this is the question of whether appropriate interventions are being directed if the benefits are not on target.

Monitoring at a project level is generally not the direct responsibility of the board. This activity can be performed on their behalf by the project sponsor and can be thought of as risk management. The main mechanism for risk management is the preparation of a project plan to manage all the expected risks. Project plans are usually well done by following existing project management guidelines. However, project plans do not plan for unanticipated risks and the majority of projects need to be changed as these unanticipated risks arise (Dvir and Lechler 2004). There is almost always a warning signal (Nikander and Eloranta 2001) and the key from a governance perspective is to ensure the project culture encourages stakeholders at any level to raise issues that may compromise the targeted benefits. This requires at one level a clear understanding by all the stakeholders of what the targeted benefits are, and at another level the willingness to listen and explore the business impact of issues as they are raised. It is particularly difficult with IT projects because the connection between technical issues and business outcomes is often not immediately apparent when they are first raised. The right culture seems to require a sensitivity and humility (willingness to learn) on the part of all stakeholders and in particular on the part of the executive project sponsor, because they set the tone for what will be addressed and what will not. This has many parallels with what is referred to as establishing a whistle-blowing culture within the corporate governance literature (Near and Miceli 1995, Smith and Keil 2003). Once a project has been commenced by following the traditional project management guidelines, the key governance question is “Is the culture right for unexpected issues to be raised?”