Project controls for UK defence programmes.

UK defence programmes operate under some of the most rigorous project controls requirements in the world. The MoD's Major Projects Review Process (MPRP), the Infrastructure and Projects Authority (IPA) assurance framework, and DEF STAN requirements create a controls environment where weak baselines, inadequate QRA and under-resourced risk management are visible — and costly — at every gate.

SOMA delivers project controls into defence supply chains and MoD-sponsored programmes where the controls work must stand up to IPA scrutiny, commercial counterpart challenge, and the particular complexity of CADMID lifecycle management. We understand the difference between controls that look right and controls that hold under pressure.

The commercial reality of defence work shapes everything the controls function does. Defence primes operate under long-cycle contracts with politically sensitive Treasury exposure: a slip on a high-profile platform programme draws Parliamentary attention before it draws engineering attention, and the assurance machinery (NAO, PAC, IPA, the MoD's own Submarine Delivery Agency or DE&S Cost Assurance & Analysis Service depending on programme type) is built around that political reality. The Single Source Regulations Office (SSRO) baseline-profit and reporting regime applies to non-competitive contracts above the SSRO threshold and adds a further layer of cost-reporting discipline that the controls function has to feed. Programmes routinely involve three- or four-tier supply chains where tier 1 primes (BAE Systems, Babcock, Leonardo, Thales, Rolls-Royce Submarines) are integrating equipment from specialist tier 2 suppliers, each of which has to be controls-assured to a consistent standard for the integrated EVMS report to mean anything at MoD review.

Defence work also imposes a particular operating model on consultants. Security-classified environments mean that controls work happens on the client's estate, on the client's IT, often within a List X facility, with practitioners cleared to SC or DV as the programme requires. The work cannot be done on a consultant laptop and the deliverables cannot leave the room. That shapes how engagements are scoped, how data is handled, and how the controls function transfers knowledge to permanent client staff. It also raises the bar on the practitioner — a controls lead on a defence programme has to be able to challenge a tier 1 prime's schedule logic in a meeting where everyone in the room has worked the platform for a decade. Plausible analytic horsepower is not enough; sector-specific credibility is the entry ticket.

Delivery challenges in this sector

How SOMA approaches Defence programmes

We embed into defence programme teams as a controls capability, not a report-production function. Our QRA work follows AACE recommended practices and is structured to satisfy IPA scrutiny. Our EV implementation is designed to run on the cadence the MoD contract requires, with the audit trail that gateway reviews expect.

Standards and frameworks

• MoD MPRP (Major Projects Review Process)
• IPA (Infrastructure and Projects Authority) assurance framework
• DEF STAN — schedule and cost reporting requirements
• CADMID lifecycle
• AACE International recommended practices
• HM Treasury Green Book

Further reading

Methodology hub