Upload
eashani-rodrigo
View
59
Download
5
Embed Size (px)
Citation preview
Research Essay
IS Project Risk Management:
Risk Factors in IS Project
Management
Author: Eashani Rodrigo
5/9/2017
Copyright © Eashani Rodrigo 1
Contents
Introduction .......................................................................................................................... 2
Literature review .................................................................................................................. 4
Risk Management Process .................................................................................................. 4
Risk Identification – IS project risk factors ........................................................................ 5
Case Study Analysis ............................................................................................................. 7
Case A – Deploying IT/IS Projects in Omani Government Organizations ........................ 7
Case B – Identifying software project risks in Nigeria: an International Comparative
Study ................................................................................................................................... 8
Discussion ............................................................................................................................ 10
Conclusion ........................................................................................................................... 12
References ........................................................................................................................... 13
Copyright © Eashani Rodrigo 2
Introduction
The success of a project depends on how it is being managed. Organizations across different
industries use formal project management methodologies and best practices for the successful
management of their various projects. One of the most critical project management functions
is the „Project Risk Management‟. Every project comes with inevitable risk factors that
impact the success of the project. In any project management environment, either it is
construction, information technology, telecommunications and financial services etc., proper
project risk management should be followed in order to reduce and eliminate possible
unexpected project risks and to help resolving problems if they occurred.
According to Schwalbe (2009), risks are “uncertain events that may occur to the detriment or
enhance of the project”, therefore the project risk management is aimed at “minimizing
negative risk events and maximizing positive events”. In recent years, with the increasing
complexity of the projects and changing business environments, the uncertainty of the project
outcomes is in continual increase. This has resulted in making the risk management an
important function in project management. Many researchers have found that process of risk
management is a critical function for the success of the projects and it is essential to the
development of profitability, especially in large-scale projects (Cadle & Yeates, 2008;
Mohtashami et al, 2006). To achieve success in IT projects, the IT (Information Technology)
industry is increasingly adopting risk management processes in their IS (Information
Systems) project management practices.
In IS project management, risk management involves all processes concerned with risk
identification, risk analysis, and response to project risks (Schwalbe, 2009). From these
processes, most critical process is considered as the „risk identification‟ or identifying the risk
factors; which is the first step in managing successful IS development risks. Even though
there are considerable attempts of academics to identify, classify, and compare IS project risk
factors, there are not enough evidence to support the idea that industry practices use these
frameworks in practical project management. Industry experts argue that these IS project risk
factors identified by academics are not always applicable in the practical scenarios and there
are other aspects to be considered when identifying IS project risks (Mursu et al., 2003).
Therefore, this research focuses on identifying IS project risk factors in practical IS project
management practices. Based on this research focus, this research aims to find answers for
two questions:
Copyright © Eashani Rodrigo 3
(1) What are the IS projects‟ risk factors identified by scholars (risk identification
frameworks)?
(2) Are those risk factors being similarly identified in practical scenario, if not what
are the risk factors that can be newly identified in practical IS project
management?
In order to find answers to those questions, this study will survey through academic literature
to find IS projects‟ risk factors identified by academics, and it will analyse few industry case
studies and systematic industry studies on IS project risk management to find answers for the
practical identification of IS project risk factors.
With the intention of providing knowledge in identifying IS project risk factors for practical
IS project management practices, this research wishes to benefit IT organizations who follow
risk management processes for successful IS project management.
The next section of this essay highlights the literature review on the existing research on
selected area, which will be followed by the evidence drawn case studies on practical
scenario. Finally, it will discuss the research findings, which will be followed by the research
conclusion.
Copyright © Eashani Rodrigo 4
Literature review
Risk Management Process
According to Mohtashami et al. (2006), IS project risk management deals with “anticipating,
preventing, and mitigating problems arising in the software product, project or process”. In
their research paper, they discuss a risk management framework, which comprise of major
functions such as: “identifying and categorizing risk types, planning to avoid possible risk,
and otherwise detect, mitigate, and recover from risks when they occur”.
James Cadle and Donald Yeates (2008) in their book, “Project Management for Information
Systems”, have discussed a risk management process with five sub-processes. These sub
processes include: plan risk management approach, identifying risks, assess risks, plan risk
responses and carry out risk reductions actions (Figure 1).
Figure 1: The Risk Management Process (Cadle & Yeates, 2008)
Copyright © Eashani Rodrigo 5
All these risk processes which have been introduced by different academics, have three sub-
processes in common, and these are: risk identification, risk analysis and risk responses. Risk
identification is the first step of any risk management process and this involves in discovering
what the risks are. Once the various risks are identified and described, the next - step risk
analysis is involved with assessing risks based on their impact and likelihood. As the final
step, after the risks were identified and the effects are being quantified, necessary actions
should be taken. There are four main responses (actions) to a risk: risk acceptance, risk
avoidance, risk mitigation and risk transfer (Cadle & Yeates, 2008).
Risk Identification – IS project risk factors
Risk identification is the first and the most critical step of the risk identification process. This
initial process provides the input to entire risk management function and the outcome of the
risk management function depends on the accurate identification of the project‟s risks.
Therefore, it is important to identify all the possible risks of the project, also it is important to
identify possible risks at the early stages of the project in order to minimize the costs of the
risks.
One of the well-known initial risk identification framework was introduced by Ward and
Griffiths in 1996. This framework included the major risk identification categories as: project
size, project complexity, people issues, project control, novelty and requirements stability.
In recent decade, risk identification has become a difficult task due to the complexity of the
projects; nevertheless, each project is unique and its risks can arise from the
interdependencies of the factors that might not have been considered before. Considering
these complexities, academics and researchers currently have identified IS project risk factors
in broader areas that could potentially arise in IS projects.
Cadle & Yeates ( 2008) have introduced a risk break down structure that comprises of six sub
categories (risk factors): commercial risks, relationship risks, requirements risks, planning
and resource risks, technical risks, subcontract risks (Figure 2).
Copyright © Eashani Rodrigo 6
Figure 2: Risk breakdown structure (Cadle & Yeates, 2008)
Similarly, Bocij, Greasley and Hickie (2015) have discussed seven major risk identification
categories or risk factors identified by Baccarini, Salm and Love (2004). Namely, they are:
“Commercial and legal relationships, Economic circumstances, Political circumstances,
Human behaviour, Technology and technical issues, Management activities and controls and
Individual activities”. These major seven risk categories included 27 common IT risks
factors. For an example: commercial and legal relationships category includes risk factors
such as: inadequate third part performance, resistance between clients and contractors;
economic circumstances category includes risks factors such as: changing market conditions,
harmful competitive actions and etc.; human behaviour factors include insufficient staff, poor
quality and etc.; political circumstances includes factors such as: unsupportive organizational
culture, parties within the organisation, lack of executive support; technology and technical
issues include the factors such as: inadequate user documentation, technical limitations of the
software solution and poor production etc.; management activities and controls category
includes the risk factors such as an unreasonable project schedule and budget; and individual
activities category includes over-specification and unrealistic expectations etc.
Copyright © Eashani Rodrigo 7
Case Study Analysis
Case A – Deploying IT/IS Projects in Omani Government Organizations
In a research case study presented by Al-Wohaibi, Masoud & Edwards (2002) have discussed
the cultural/organizational risk factors involved in implementing IT projects in Oman. They
also have discussed the strategies needed to deal with those identified risks.
In their case study, the researchers have compared the risk factors arising in the context
Omani culture with the risk factors reported in previous literature. Through this analysis they
have found that the most techniques being adopted in software development were mostly
focused on technical aspects of the problem; people aspect were seen as secondary. As result
the IS projects have continued to fail. Therefore, they suggest in practical scenario it is
essential to consider information systems as social system instead of purely technical system.
They have also highlighted that cultural and organizational dimensions majorly effect on IS
project success and therefore these aspects should be considered when identifying risk
factors.
As the framework for the data observation, they have used three risk categories: human
resource deficiency, organisational inefficiencies and immaturity of the IT business culture.
Using Delphi method as data collection, based on this framework the expert discussion
groups have identified more risk factors that are specific to the Omani government
organizations. Table 1 presents the their observation on identified risk factors that affects
IT/IS deployment in government organizations in Oman and have indicated whether those
factors have been discussed in previous literature.
Copyright © Eashani Rodrigo 8
Table 1: Summary of Risk Factors Observed in Oman (Al-Wohaibi, Masoud & Edwards,
2002)
Their observation shows that some of the risk factors that have observed are already been
discussed in academic literature. However, they have identified some unique risk factors
(non-technical IT management, lack of unified IT strategy, lack of collaboration and lack of
public oversights) that impact the success of their government organizations‟ IS projects. The
researchers believe that these are unique risk factors to their context and these factors impact
Oman IS projects in greater extend due to Omani organizations‟ low familiarity with complex
IT systems.
Case B – Identifying software project risks in Nigeria: an International Comparative Study
In this research case study, presented by Anja Mursu, Kalle Lyytinen, HA Soriyan & Mikko
Korpela (2003), is aimed at identifying software project risks and risk rankings in Nigeria
comparing to similar international study carried out to rank common IS project risk factors in
three countries: US, Finland and Hong Kong.
The researchers have used Delphi method to collect data for this case study, repeating the
research design used in the international Delphi study carried out by Schmidt et al. (2001) on
identifying and ranking IS projects risk factors in US, Finland and Hong Kong. As for the
data collection framework, initially the common risk factors were organized based on the
Copyright © Eashani Rodrigo 9
same classification as the Schmidt et al. (2001) international study. Then, a panel of Nigerian
software development experts was questioned on most common risk factors in Nigeria and
the comparative importance of each factor.
Even though the researchers initially used Schmidt et al. (2001) risk factor categories such as
corporate environment, political environment, they identified that the risk factors in Schmidt
et al. (2001) did not include focus on the socio-economic context. In contrast, the research
team - Mursu et al. (2003), identified several risk factors that are considerably different from
the factors included in the earlier international study, and they found these the risk factors
identified in their list was mainly focused on socio-economic context rather than corporate
environment. Therefore, the research team had to add one additional category for the existing
risk factor to the framework as: socio-economic context. Under this category, they identified
six risk factors that are unique to the Nigerian context; these unique IS project risk factors
are: “Under funding of development, Import of foreign packages, Energy supply, IT
awareness in the country, Huge capital requirements and Erratic and unreliable data
network”.
By analysing these risk factors, researchers found that the rankings they obtained indicate the
importance of the infrastructure related socio-economic IS project risks in countries like
Nigeria; which are developing countries. Therefore, they have highlighted the importance of
understanding broader socio-economic context when identifying risk factors in managing IS
projects. They also have highlighted in practical context, which different countries‟ may have
different rankings to the common the risk factors identified by literature; therefore, all these
aspects needs to be considered when identifying risk factors in IS projects.
Copyright © Eashani Rodrigo 10
Discussion
This research was aimed at finding answers to two research question (1) What are the IS
projects‟ risk factors identified by scholars (risk identification frameworks) and (2) Are those
risk factors being similarly identified in practical scenario, if not what are the risk factors that
can be newly identified in practical IS project management.
In the process of finding answers to the first question, the study reviewed previous literature
and analysed current risk identification frameworks and risk factors in IS projects
management identified by academics. In this analysis, the study found several frameworks
that are popular in risk identification literature. One of those frameworks is Ward and
Griffiths (1996) „major risk identification categories‟ which mainly focussed on the technical
aspects and the resources of the project such as: project size, project complexity, people
issues, project control and etc. The literature, which have been published in recent decade
shows broader risk identification categories, which the previous risk identification
frameworks has been updated with additional aspects for risk identification categories.
Therefore, it was evident that risk identification frameworks have been updated periodically
due to the increasing complexity of the projects. Initially the risk factors‟ was on the project
resources such as people, process and technology and the internal factors of organizations
that can affect the project. However, as the complexity and the interdependencies of factors
have increased, the researchers have attempted to identify framework and structures that
present all possible risk factors in IS projects. These factors have focussed not only internal
factors but also external factors such as Commercial and legal relationships, Economic
circumstances and Political circumstances (i.e. as shown in risk breakdown structure (Figure
1) introduced by Cadle & Yeates ( 2008) ). Therefore, it was evident that due to complexity
of the project the academic frameworks continued on updating on the risk identification
categories to support the practical adoption of these frame works in to the different industry
contexts.
The second question of this research was aimed at finding whether these academic
frameworks or IS project risk factors are adoptable for the practical usage and are there any
risk identification categories that needs to be focussed when identifying risks in practical
scenario is IS project risk management. To find answers to this question a detailed analysis
was carried out on two distinct systematic industry case studies.
Copyright © Eashani Rodrigo 11
In Case A – Fundamental Risk Factors in Deploying IT/IS Projects in Omani Government
Organizations, the researchers Al-Wohaibi, Masoud & Edwards (2002) have studied the risk
factors affecting Omani government organizations. In their study they identified, there are
common risk factors that affect their context that have been reported literature, however they
also identified unique risk factors that can have a major impact to the success of their projects
that needs to be considered in the Omani government organizations‟ IS project management.
Therefore, it is evident that the projects risk factors can change depending on the cultural and
organizational factors. Each country may have additional unique set of risk factors that needs
to be considered in cultural and organizational aspects. They have also identified that in
practical IS project risk management, most organizations focus mainly on the technical issues
of the project and tend to neglect people aspects when identifying risk factors, which leads to
IS project failure. Therefore, in practical context it is evident that the organizations should
focus on all aspects of risk identification categorizations without solely focusing on technical
aspects.
In Case B - Identifying software project risks in Nigeria: an International Comparative Study,
the researchers Anja Mursu, Kalle Lyytinen, HA Soriyan & Mikko Korpela (2003), have
studied the risk factors and risk rankings of the IS project management risk in Nigerian
context. In their study, they have compared common risk factors from international study
conducted on three countries: US, Finland and Hon Kong and used their common risk factors
as the framework. The study found that the rankings of the risk factors majorly differed from
the other countries common risk factor rankings and they identified additional risk factors
that are unique to the Nigerian context. As a result, they added a new risk factor category to
their list as socio-economic context. Therefore, it is evident that even though there are
common risk factors or frameworks that can be adopted by practitioners, still there are unique
risk factors to different countries based on their socio-economic context. Therefore, all these
aspects should be considered when identifying risk factors in different IT project in practical
context. Moreover, the common risks factors may have different impact on various countries
and various projects, therefore the risk identification should be carried out individually for
each project considering all the possible aspects depending on the context.
These case studies findings shows that even there are common risk factors that can be
adapted by academic frameworks, there are unique risk factors for each project that can
impact the success of the IS project. Therefore in practical scenario there are new aspects that
Copyright © Eashani Rodrigo 12
should be considered for risk identification (i.e. cultural and organizational aspect, socio-
economic aspects); moreover, the relatedness of common risk factors will differ depending
on the context (i.e. the country, culture, organization type) of the IT project.
Conclusion
In conclusion, based on these case study findings on practical scenario, it was evident that
current industry practices adopt common risk identification frameworks for their IS project
risk management practices and there are common risk factors that are similar to the industry
identified risk factors. However, the success of adoption of these frameworks are
questionable as there are unique risk factors that can majorly impact the IS project. Therefore,
in practical IS project risk identification practices, the project managers should consider the
common risk factors as well the unique risk factors that can impact the specific project.
However, there can be implications when identifying unique risk factors in practical IS
project management in different context. The complexity of the project and lack of
knowledge in every aspect of the project or the context may limit the successful identification
of accurate risk factors. Another implication is the time limitation. The risk identification is
the time consuming process, the project stakeholder involvement in project risk identification
and the requirement to consider many aspects of the project may not be practical with the
project time-frames.
Copyright © Eashani Rodrigo 13
References
Bocij, P., Greasley, A. & Hickie, S. (2015) Business Information Systems: Technology,
Development and Management for the E-Business. 5th
edn. London: Pearson.
Cadle, J. & Yeates, D. (2008) Project Management for Information Systems, 5th
edn. London:
Pearson.
Ward, J., & Griffiths, P.M. (1996) Strategic Planning for Information Systems. New York:
John Wiley and Sons
Schwalbe, K. (2009) Introduction to Project Management, 2nd
edn. Boston, Mass.: Course
Technology.
Mohtashami, M., Marlowe, T., Kirova, V., & Deek, F.P. (2006) „Risk Management for
Collaborative Software Development‟, Information Systems Management, 23 (4), pp. 20-30.
Al-Wohaibi, M. A., Masoud, F. A., & Edwards, H. M. (2002) „Fundamental Risk Factors in
Deploying IT/IS Projects in Omani Government Organizations‟, Journal of Global
Information Management, 10(4), pp. 1-22.
Mursu,A., Lyytinen, K., Soriyan, H.A. & Korpela, M. (2003) „Identifying software project
risks in Nigeria: an International Comparative Study‟, European Journal of Information
Systems, 12, pp. 182-194.
Schmidt, R., Lyytinen. K., Keil, M. & Cule, P. (2001) „Identifying Software Project Risks:
An International Delphi Study‟, Journal of Management, 17(4), pp.5–36.