What gateway reviewers actually look at
QRA reports land on the desk of people who have seen hundreds of them. A UK IPA gateway reviewer, a departmental assurance lead, or an investment committee member reviewing QRA outputs is not going to read the report cover-to-cover. They are going to look at a small number of specific things, form a view, and ask questions. The structure and content of the report determines whether they arrive at the view you want them to.
The three things a reviewer looks for first are: the headline confidence position (what is the P80 cost, what is the P80 date), the methodology (is this an AACE-compliant approach or a bespoke model), and the transparency of the underlying data (can I see the risk register, the three-point estimates, the correlation structure). A report that makes these three things easy to find and defensible to challenge is a report that builds confidence. A report that buries them in appendices or obscures them through narrative is a report that triggers scepticism.
The reviewer's mental model is: does this QRA represent honest analysis of the programme's risk profile, or does it represent a model tuned to produce a number the delivery team wanted to present? The two can look similar on the surface — both have S-curves, both have P80 figures, both have risk registers — but they have different signatures in how they are documented. The reviewer knows what those signatures look like.
The structure that works
A QRA report for gateway purposes should open with an executive summary that states the headline position in plain terms. Three to five sentences covering: what was analysed, the confidence levels produced (P50, P80, ideally P95), the principal risk drivers identified, and the data sources underpinning the analysis. A reviewer reading only the executive summary should come away with a clear picture of what the analysis shows.
The methodology section comes next. It should state explicitly which AACE reference standards were followed — typically PGD-02 (Guide to Quantitative Risk Analysis) as the overarching reference, plus the Recommended Practice that matches the modelling approach used: 57R-09 for risk-driver Monte Carlo of a CPM model, 113R-20 for combined parametric and expected-value methods, or 123R-22 for estimate-ranging plus expected-value with Monte Carlo. It should describe how variability risk and event risk were separated, how correlation was handled, what distribution shapes were used, how many iterations were run, and what tool produced the model. Compliance with AACE standards is the single strongest signal a reviewer uses to form an initial impression of the work's rigour.
The results section presents the confidence levels with supporting visualisations — S-curves, tornado charts, risk-driver ranking tables. The reviewer expects to see not just the headline P80 but the sensitivity analysis that identifies the top five to ten drivers of exposure. A results section without sensitivity analysis is incomplete and will be asked for.
The supporting documentation — risk register, three-point estimate tables, correlation matrix, workshop attendance and methodology records — should be appendices, and the executive summary and methodology sections should reference them explicitly. "The full risk register is in Appendix A; the three-point estimate tables are in Appendix B; the correlation matrix is in Appendix C" is a line every gateway-ready QRA report should contain.
The documentation that makes the QRA defensible
The appendices are what separate a gateway-ready QRA from a model that was run but cannot be defended. Every three-point estimate should be traceable to its origin — which workshop it came from, who provided it, what evidence or benchmark it was calibrated against, what scope assumptions underpin it. A reviewer challenging a specific pessimistic value should be able to look up how it was derived and reach their own view on whether the derivation is reasonable.
The risk register should be formatted to show the qualitative assessment (probability band, impact band, risk owner) alongside the quantitative inputs (probability as decimal, impact distribution parameters, mapped activities or cost lines). The two should be reconciled — a risk scored as "high probability, high impact" qualitatively should translate to a materially contributing entry in the QRA model, and a risk that dominates the tornado chart quantitatively should be reflected in the qualitative narrative the team is actually managing.
The correlation matrix, if used, needs explanation. A matrix with dense correlation structure and no supporting rationale looks like a tuning exercise. A matrix with correlations explicitly linked to documented drivers — "weather risk correlation across all outdoor activities in winter months", "resource correlation across activities sharing specialist commissioning teams" — is defensible. Where no correlation is modelled, that choice should also be stated and justified, because a genuinely uncorrelated model is a strong claim that will usually be challenged.
HM Treasury Green Book alignment
For public-sector QRA, HM Treasury Green Book alignment is expected. The Green Book sets methodological expectations around optimism bias, risk treatment and the evidential standards that underpin appraisal. A QRA report that explicitly addresses these expectations carries more weight with reviewers than one that does not.
Optimism bias treatment is a common gap. The Green Book requires that capital cost estimates at early project stages carry an optimism bias uplift calibrated to the project category. A QRA that models identified risks but does not address optimism bias is likely to be challenged for under-representing early-stage uncertainty. The report should either apply the Green Book optimism bias uplift to the base estimate before QRA, or document explicitly why the QRA's own risk treatment is assessed as sufficient to cover the bias — and a reviewer will want to see the evidence for that assessment.
The Green Book also expects the confidence level chosen for funding decisions to be justified. A report that defaults to P80 without addressing the sponsor's articulated risk appetite is weaker than one that explicitly discusses the confidence level in the context of the specific programme. Cross-referencing to the business case's treatment of risk appetite is good practice and closes the loop between the QRA and the broader appraisal.
The common failure modes
A QRA report that triggers a gateway recommendation to redo the work typically shows one or more of these patterns. The methodology section is vague — referring generally to "Monte Carlo simulation" and "three-point estimates" without specifying AACE alignment, tool, or iteration count. The risk register has many entries but the quantitative contribution is concentrated in a small number of them, suggesting the others are filler. The three-point estimates show symmetric distributions across most activities, implying anchoring bias rather than differentiated uncertainty.
Another failure pattern is a headline confidence level that does not reconcile to the narrative. If the report says "P80 is £X" but the identified risks in the register add to materially more than £X's worth of exposure at high probability, the model has either under-calibrated the risks, incorrectly correlated them, or contains modelling errors. Reviewers increasingly check this kind of consistency and a QRA that fails the reconciliation test is very hard to rescue without a rerun.
Missing workshop documentation is a structural weakness. If the report does not record who attended the quantification workshops, what their roles were, how long was spent per line item, and what reference evidence was introduced, the reviewer cannot form a view on whether the elicitation was rigorous. AACE PGD-02 (Guide to Quantitative Risk Analysis) and 57R-09 between them provide the workshop methodology and documentation expectations — a report that follows them has a much easier reviewer conversation than one that does not.
How to make the reviewer's job easier
Reviewers are usually under time pressure and are reading several QRA reports alongside many other gateway artefacts. A report that makes their job easier is a report that arrives at a favourable outcome more often. Practical techniques: use visual hierarchy aggressively — the headline P80 cost and date should be visible within ten seconds of opening the report. Use explicit cross-references to the AACE practices being followed. Include a one-page methodology summary that a reviewer can skim and understand without reading the full section.
The other thing reviewers value is explicit discussion of limitations. A QRA that says "our model has the following limitations: [A, B, C], and we believe these have the following effect on the confidence position: [specific assessment]" is more defensible than one that claims no limitations. All models have limitations; the honest treatment is to name them. Reviewers distrust analyses that claim more precision than they can credibly support.
Finally, align the report structure with the reviewer's checklist where possible. IPA gateway reviewers work to internal guidance on what to look for; departmental assurance leads do the same; MoD MPRP teams on CADMID programmes apply their own scorecard against the controls evidence. A QRA report that answers their checklist questions in the order they ask them is faster to review and easier to approve. SOMA structures QRA reports explicitly to the assurance criteria that apply to the specific gateway — which is why our work typically clears the review on first submission rather than needing rework.