IS Project Risk Management: Risk Factors in IS Project Management

Research Essay

IS Project Risk Management:

Risk Factors in IS Project

Management

Author: Eashani Rodrigo

5/9/2017

Copyright © Eashani Rodrigo 1

Contents

Introduction .......................................................................................................................... 2

Literature review .................................................................................................................. 4

Risk Management Process .................................................................................................. 4

Risk Identification – IS project risk factors ........................................................................ 5

Case Study Analysis ............................................................................................................. 7

Case A – Deploying IT/IS Projects in Omani Government Organizations ........................ 7

Case B – Identifying software project risks in Nigeria: an International Comparative

Study ................................................................................................................................... 8

Discussion ............................................................................................................................ 10

Conclusion ........................................................................................................................... 12

References ........................................................................................................................... 13


Introduction

The success of a project depends on how it is being managed. Organizations across different

industries use formal project management methodologies and best practices for the successful

management of their various projects. One of the most critical project management functions

is the „Project Risk Management‟. Every project comes with inevitable risk factors that

impact the success of the project. In any project management environment, either it is

construction, information technology, telecommunications and financial services etc., proper

project risk management should be followed in order to reduce and eliminate possible

unexpected project risks and to help resolving problems if they occurred.

According to Schwalbe (2009), risks are “uncertain events that may occur to the detriment or

enhance of the project”, therefore the project risk management is aimed at “minimizing

negative risk events and maximizing positive events”. In recent years, with the increasing

complexity of the projects and changing business environments, the uncertainty of the project

outcomes is in continual increase. This has resulted in making the risk management an

important function in project management. Many researchers have found that process of risk

management is a critical function for the success of the projects and it is essential to the

development of profitability, especially in large-scale projects (Cadle & Yeates, 2008;

Mohtashami et al, 2006). To achieve success in IT projects, the IT (Information Technology)

industry is increasingly adopting risk management processes in their IS (Information

Systems) project management practices.

In IS project management, risk management involves all processes concerned with risk

identification, risk analysis, and response to project risks (Schwalbe, 2009). From these

processes, most critical process is considered as the „risk identification‟ or identifying the risk

factors; which is the first step in managing successful IS development risks. Even though

there are considerable attempts of academics to identify, classify, and compare IS project risk

factors, there are not enough evidence to support the idea that industry practices use these

frameworks in practical project management. Industry experts argue that these IS project risk

factors identified by academics are not always applicable in the practical scenarios and there

are other aspects to be considered when identifying IS project risks (Mursu et al., 2003).

Therefore, this research focuses on identifying IS project risk factors in practical IS project

management practices. Based on this research focus, this research aims to find answers for

two questions:


(1) What are the IS projects‟ risk factors identified by scholars (risk identification

frameworks)?

(2) Are those risk factors being similarly identified in practical scenario, if not what

are the risk factors that can be newly identified in practical IS project

management?

In order to find answers to those questions, this study will survey through academic literature

to find IS projects‟ risk factors identified by academics, and it will analyse few industry case

studies and systematic industry studies on IS project risk management to find answers for the

practical identification of IS project risk factors.

With the intention of providing knowledge in identifying IS project risk factors for practical

IS project management practices, this research wishes to benefit IT organizations who follow

risk management processes for successful IS project management.

The next section of this essay highlights the literature review on the existing research on

selected area, which will be followed by the evidence drawn case studies on practical

scenario. Finally, it will discuss the research findings, which will be followed by the research

conclusion.


Literature review

Risk Management Process

According to Mohtashami et al. (2006), IS project risk management deals with “anticipating,

preventing, and mitigating problems arising in the software product, project or process”. In

their research paper, they discuss a risk management framework, which comprise of major

functions such as: “identifying and categorizing risk types, planning to avoid possible risk,

and otherwise detect, mitigate, and recover from risks when they occur”.

James Cadle and Donald Yeates (2008) in their book, “Project Management for Information

Systems”, have discussed a risk management process with five sub-processes. These sub

processes include: plan risk management approach, identifying risks, assess risks, plan risk

responses and carry out risk reductions actions (Figure 1).

Figure 1: The Risk Management Process (Cadle & Yeates, 2008)


All these risk processes which have been introduced by different academics, have three sub-

processes in common, and these are: risk identification, risk analysis and risk responses. Risk

identification is the first step of any risk management process and this involves in discovering

what the risks are. Once the various risks are identified and described, the next - step risk

analysis is involved with assessing risks based on their impact and likelihood. As the final

step, after the risks were identified and the effects are being quantified, necessary actions

should be taken. There are four main responses (actions) to a risk: risk acceptance, risk

avoidance, risk mitigation and risk transfer (Cadle & Yeates, 2008).

Risk Identification – IS project risk factors

Risk identification is the first and the most critical step of the risk identification process. This

initial process provides the input to entire risk management function and the outcome of the

risk management function depends on the accurate identification of the project‟s risks.

Therefore, it is important to identify all the possible risks of the project, also it is important to

identify possible risks at the early stages of the project in order to minimize the costs of the

risks.

One of the well-known initial risk identification framework was introduced by Ward and

Griffiths in 1996. This framework included the major risk identification categories as: project

size, project complexity, people issues, project control, novelty and requirements stability.

In recent decade, risk identification has become a difficult task due to the complexity of the

projects; nevertheless, each project is unique and its risks can arise from the

interdependencies of the factors that might not have been considered before. Considering

these complexities, academics and researchers currently have identified IS project risk factors

in broader areas that could potentially arise in IS projects.

Cadle & Yeates ( 2008) have introduced a risk break down structure that comprises of six sub

categories (risk factors): commercial risks, relationship risks, requirements risks, planning

and resource risks, technical risks, subcontract risks (Figure 2).


Figure 2: Risk breakdown structure (Cadle & Yeates, 2008)

Similarly, Bocij, Greasley and Hickie (2015) have discussed seven major risk identification

categories or risk factors identified by Baccarini, Salm and Love (2004). Namely, they are:

“Commercial and legal relationships, Economic circumstances, Political circumstances,

Human behaviour, Technology and technical issues, Management activities and controls and

Individual activities”. These major seven risk categories included 27 common IT risks

factors. For an example: commercial and legal relationships category includes risk factors

such as: inadequate third part performance, resistance between clients and contractors;

economic circumstances category includes risks factors such as: changing market conditions,

harmful competitive actions and etc.; human behaviour factors include insufficient staff, poor

quality and etc.; political circumstances includes factors such as: unsupportive organizational

culture, parties within the organisation, lack of executive support; technology and technical

issues include the factors such as: inadequate user documentation, technical limitations of the

software solution and poor production etc.; management activities and controls category

includes the risk factors such as an unreasonable project schedule and budget; and individual

activities category includes over-specification and unrealistic expectations etc.


Case Study Analysis

Case A – Deploying IT/IS Projects in Omani Government Organizations

In a research case study presented by Al-Wohaibi, Masoud & Edwards (2002) have discussed

the cultural/organizational risk factors involved in implementing IT projects in Oman. They

also have discussed the strategies needed to deal with those identified risks.

In their case study, the researchers have compared the risk factors arising in the context

Omani culture with the risk factors reported in previous literature. Through this analysis they

have found that the most techniques being adopted in software development were mostly

focused on technical aspects of the problem; people aspect were seen as secondary. As result

the IS projects have continued to fail. Therefore, they suggest in practical scenario it is

essential to consider information systems as social system instead of purely technical system.

They have also highlighted that cultural and organizational dimensions majorly effect on IS

project success and therefore these aspects should be considered when identifying risk

factors.

As the framework for the data observation, they have used three risk categories: human

resource deficiency, organisational inefficiencies and immaturity of the IT business culture.

Using Delphi method as data collection, based on this framework the expert discussion

groups have identified more risk factors that are specific to the Omani government

organizations. Table 1 presents the their observation on identified risk factors that affects

IT/IS deployment in government organizations in Oman and have indicated whether those

factors have been discussed in previous literature.


Table 1: Summary of Risk Factors Observed in Oman (Al-Wohaibi, Masoud & Edwards,

2002)

Their observation shows that some of the risk factors that have observed are already been

discussed in academic literature. However, they have identified some unique risk factors

(non-technical IT management, lack of unified IT strategy, lack of collaboration and lack of

public oversights) that impact the success of their government organizations‟ IS projects. The

researchers believe that these are unique risk factors to their context and these factors impact

Oman IS projects in greater extend due to Omani organizations‟ low familiarity with complex

IT systems.

Case B – Identifying software project risks in Nigeria: an International Comparative Study

In this research case study, presented by Anja Mursu, Kalle Lyytinen, HA Soriyan & Mikko

Korpela (2003), is aimed at identifying software project risks and risk rankings in Nigeria

comparing to similar international study carried out to rank common IS project risk factors in

three countries: US, Finland and Hong Kong.

The researchers have used Delphi method to collect data for this case study, repeating the

research design used in the international Delphi study carried out by Schmidt et al. (2001) on

identifying and ranking IS projects risk factors in US, Finland and Hong Kong. As for the

data collection framework, initially the common risk factors were organized based on the


same classification as the Schmidt et al. (2001) international study. Then, a panel of Nigerian

software development experts was questioned on most common risk factors in Nigeria and

the comparative importance of each factor.

Even though the researchers initially used Schmidt et al. (2001) risk factor categories such as

corporate environment, political environment, they identified that the risk factors in Schmidt

et al. (2001) did not include focus on the socio-economic context. In contrast, the research

team - Mursu et al. (2003), identified several risk factors that are considerably different from

the factors included in the earlier international study, and they found these the risk factors

identified in their list was mainly focused on socio-economic context rather than corporate

environment. Therefore, the research team had to add one additional category for the existing

risk factor to the framework as: socio-economic context. Under this category, they identified

six risk factors that are unique to the Nigerian context; these unique IS project risk factors

are: “Under funding of development, Import of foreign packages, Energy supply, IT

awareness in the country, Huge capital requirements and Erratic and unreliable data

network”.

By analysing these risk factors, researchers found that the rankings they obtained indicate the

importance of the infrastructure related socio-economic IS project risks in countries like

Nigeria; which are developing countries. Therefore, they have highlighted the importance of

understanding broader socio-economic context when identifying risk factors in managing IS

projects. They also have highlighted in practical context, which different countries‟ may have

different rankings to the common the risk factors identified by literature; therefore, all these

aspects needs to be considered when identifying risk factors in IS projects.


Discussion

This research was aimed at finding answers to two research question (1) What are the IS

projects‟ risk factors identified by scholars (risk identification frameworks) and (2) Are those

risk factors being similarly identified in practical scenario, if not what are the risk factors that

can be newly identified in practical IS project management.

In the process of finding answers to the first question, the study reviewed previous literature

and analysed current risk identification frameworks and risk factors in IS projects

management identified by academics. In this analysis, the study found several frameworks

that are popular in risk identification literature. One of those frameworks is Ward and

Griffiths (1996) „major risk identification categories‟ which mainly focussed on the technical

aspects and the resources of the project such as: project size, project complexity, people

issues, project control and etc. The literature, which have been published in recent decade

shows broader risk identification categories, which the previous risk identification

frameworks has been updated with additional aspects for risk identification categories.

Therefore, it was evident that risk identification frameworks have been updated periodically

due to the increasing complexity of the projects. Initially the risk factors‟ was on the project

resources such as people, process and technology and the internal factors of organizations

that can affect the project. However, as the complexity and the interdependencies of factors

have increased, the researchers have attempted to identify framework and structures that

present all possible risk factors in IS projects. These factors have focussed not only internal

factors but also external factors such as Commercial and legal relationships, Economic

circumstances and Political circumstances (i.e. as shown in risk breakdown structure (Figure

1) introduced by Cadle & Yeates ( 2008) ). Therefore, it was evident that due to complexity

of the project the academic frameworks continued on updating on the risk identification

categories to support the practical adoption of these frame works in to the different industry

contexts.

The second question of this research was aimed at finding whether these academic

frameworks or IS project risk factors are adoptable for the practical usage and are there any

risk identification categories that needs to be focussed when identifying risks in practical

scenario is IS project risk management. To find answers to this question a detailed analysis

was carried out on two distinct systematic industry case studies.


In Case A – Fundamental Risk Factors in Deploying IT/IS Projects in Omani Government

Organizations, the researchers Al-Wohaibi, Masoud & Edwards (2002) have studied the risk

factors affecting Omani government organizations. In their study they identified, there are

common risk factors that affect their context that have been reported literature, however they

also identified unique risk factors that can have a major impact to the success of their projects

that needs to be considered in the Omani government organizations‟ IS project management.

Therefore, it is evident that the projects risk factors can change depending on the cultural and

organizational factors. Each country may have additional unique set of risk factors that needs

to be considered in cultural and organizational aspects. They have also identified that in

practical IS project risk management, most organizations focus mainly on the technical issues

of the project and tend to neglect people aspects when identifying risk factors, which leads to

IS project failure. Therefore, in practical context it is evident that the organizations should

focus on all aspects of risk identification categorizations without solely focusing on technical

aspects.

In Case B - Identifying software project risks in Nigeria: an International Comparative Study,

the researchers Anja Mursu, Kalle Lyytinen, HA Soriyan & Mikko Korpela (2003), have

studied the risk factors and risk rankings of the IS project management risk in Nigerian

context. In their study, they have compared common risk factors from international study

conducted on three countries: US, Finland and Hon Kong and used their common risk factors

as the framework. The study found that the rankings of the risk factors majorly differed from

the other countries common risk factor rankings and they identified additional risk factors

that are unique to the Nigerian context. As a result, they added a new risk factor category to

their list as socio-economic context. Therefore, it is evident that even though there are

common risk factors or frameworks that can be adopted by practitioners, still there are unique

risk factors to different countries based on their socio-economic context. Therefore, all these

aspects should be considered when identifying risk factors in different IT project in practical

context. Moreover, the common risks factors may have different impact on various countries

and various projects, therefore the risk identification should be carried out individually for

each project considering all the possible aspects depending on the context.

These case studies findings shows that even there are common risk factors that can be

adapted by academic frameworks, there are unique risk factors for each project that can

impact the success of the IS project. Therefore in practical scenario there are new aspects that


should be considered for risk identification (i.e. cultural and organizational aspect, socio-

economic aspects); moreover, the relatedness of common risk factors will differ depending

on the context (i.e. the country, culture, organization type) of the IT project.

Conclusion

In conclusion, based on these case study findings on practical scenario, it was evident that

current industry practices adopt common risk identification frameworks for their IS project

risk management practices and there are common risk factors that are similar to the industry

identified risk factors. However, the success of adoption of these frameworks are

questionable as there are unique risk factors that can majorly impact the IS project. Therefore,

in practical IS project risk identification practices, the project managers should consider the

common risk factors as well the unique risk factors that can impact the specific project.

However, there can be implications when identifying unique risk factors in practical IS

project management in different context. The complexity of the project and lack of

knowledge in every aspect of the project or the context may limit the successful identification

of accurate risk factors. Another implication is the time limitation. The risk identification is

the time consuming process, the project stakeholder involvement in project risk identification

and the requirement to consider many aspects of the project may not be practical with the

project time-frames.


References

Bocij, P., Greasley, A. & Hickie, S. (2015) Business Information Systems: Technology,

Development and Management for the E-Business. 5th

edn. London: Pearson.

Cadle, J. & Yeates, D. (2008) Project Management for Information Systems, 5th

edn. London:

Pearson.

Ward, J., & Griffiths, P.M. (1996) Strategic Planning for Information Systems. New York:

John Wiley and Sons

Schwalbe, K. (2009) Introduction to Project Management, 2nd

edn. Boston, Mass.: Course

Technology.

Mohtashami, M., Marlowe, T., Kirova, V., & Deek, F.P. (2006) „Risk Management for

Collaborative Software Development‟, Information Systems Management, 23 (4), pp. 20-30.

Al-Wohaibi, M. A., Masoud, F. A., & Edwards, H. M. (2002) „Fundamental Risk Factors in

Deploying IT/IS Projects in Omani Government Organizations‟, Journal of Global

Information Management, 10(4), pp. 1-22.

Mursu,A., Lyytinen, K., Soriyan, H.A. & Korpela, M. (2003) „Identifying software project

risks in Nigeria: an International Comparative Study‟, European Journal of Information

Systems, 12, pp. 182-194.

Schmidt, R., Lyytinen. K., Keil, M. & Cule, P. (2001) „Identifying Software Project Risks:

An International Delphi Study‟, Journal of Management, 17(4), pp.5–36.