Risk Management

, Volume 16, Issue 3, pp 195–230 | Cite as

Conceptualising and responding to risk in IT projects

  • David Brookfield
  • Denis Fischbacher-Smith
  • Faizul Mohd-Rahim
  • Halim Boussabaine
Original Article


An unresolved element of the debate concerning software implementation projects concerns the difficulty of theoretically linking a coherent risk construct to an empirical validation of the risk management process. We show how key risk management activities can be embedded within a carefully developed risk construct that offers both theoretical and practical content. We support our work using data from a large sample survey and evidence how risk can accumulate in a project; show which risk mitigation strategies are likely to be used in practice and over which risk areas of the risk construct; and report a new finding concerning the strategic responses to technical failure in projects.


risk management project planning IT implementation project life cycle 


  1. Aloini, D., Dulmin, R. and Mininno, V. (2007) Risk management in ERP project introduction: Review of the literature. Information and Management 44 (6): 547–567.CrossRefGoogle Scholar
  2. Alter, S. (2001) Which life cycle … work system, information system, or software? Communications of the Association for Information Systems, 7, Article 17,, accessed 28 August 2009.
  3. Alter, S. and Sherer, S.A. (2004) A general, but readily adaptable model of information risk. Communications of the Association for Information Systems 14 (2): 1–28.Google Scholar
  4. Ambrosini, V., Bowman, C. and Collier, N. (2009) Dynamic capabilities: An exploration of how firms renew their resource base. British Journal of Management 20 (s1): S9–S24.CrossRefGoogle Scholar
  5. Atkinson, R. (1999) Project management: Cost, time and quality, two best guesses and a phenomenon, its (sic) time to accept other success criteria. International Journal of Project Management 17 (6): 337–342.CrossRefGoogle Scholar
  6. Baccarini, D., Salm, G. and Surrey, P. (2004) Management of risks in information technology projects. Journal of Industrial Management and Data Systems 104 (4): 286–295.CrossRefGoogle Scholar
  7. Bannerman, P.L. (2008) Risk and risk management in software projects: A reassessment. Journal of Systems and Software 81 (12): 2118–2133.CrossRefGoogle Scholar
  8. Barki, H., Rivard, S. and Talbot, J. (1993) Toward as assessment of software development risk. Journal of Management Information Systems 10 (2): 203–223.CrossRefGoogle Scholar
  9. Boehm, B.W. (1991) Software risk management: Principles and practices. IEEE Software 8 (1): 32–41.CrossRefGoogle Scholar
  10. Block, R. (1983) The Politics of Projects. Englewood Cliff, NJ: Yourdon Press, Prentice-Hall.Google Scholar
  11. Cerpa, N. and Verner, J.M. (2009) Why did your project fail? Communications of the ACM 52 (12): 130–134.CrossRefGoogle Scholar
  12. Chang, S. (2006) An alternative methodology for Delphi-type research in IS key issues studies. International Journal of Management and Enterprise Development 3 (1/2): 147–168.CrossRefGoogle Scholar
  13. Charette, R.N. (1996) Large scale project management is risk management. Software 13 (4): 110–117.CrossRefGoogle Scholar
  14. Charette, R.N. (2005) Why software projects fail. IEEE Spectrum,, accessed 8 November 2014.
  15. Coles, R. and Hodgkinson, G.P. (2008) A psychometric study of information technology risks in the workplace. Risk Analysis 28 (1): 81–93.CrossRefGoogle Scholar
  16. Collingridge, D. (1984) Technology in the Policy Process – The Control of Nuclear Power. London: Francis Pinter.Google Scholar
  17. Collingridge, D. (1992) The Management of Scale: Big Organizations, Big Decisions, Big Mistakes. London: Routledge.Google Scholar
  18. Dansereau, F. and Yammarino, F.J. (eds.) (2002) Overview: The many faces of multi-level issues. In: The Many Faces of Multi-Level Issues. Oxford: JAI (Elsevier Science Ltd), pp. xiii–xix.CrossRefGoogle Scholar
  19. Davis, A.M., Bersoff, E.H. and Comer, E.R. (1998) A strategy for comparing alternative software development life cycle models. IEEE Transactions on Software Engineering 14 (10): 1453–1461.CrossRefGoogle Scholar
  20. DiMaggio, P.J. (1995) Comments on ‘what theory is not’. Administrative Science Quarterly 40 (3): 391–397.CrossRefGoogle Scholar
  21. DiStefano, C., Zhu, M. and Mindrila, D. (2009) Understanding and using factor scores: Considerations for the applied researcher. Practical Assessment, Research and Evaluation 14 (20): 1–11.Google Scholar
  22. Easterby-Smith, M., Lyles, M.A. and Peteraf, M.A. (2009) Dynamic capabilities: Current debates and future directions. British Journal of Management 20 (s1): S1–S8.CrossRefGoogle Scholar
  23. Eisenhardt, K.M. and Graebner, M.E. (2007) Theory building from case: Opportunities and challenges. Academy of Management Journal 50 (1): 25–32.CrossRefGoogle Scholar
  24. Ewusi-Mensah, K. (1997) Critical issues in abandoned information systems development projects. Communications of the ACM 40 (9): 74–80.CrossRefGoogle Scholar
  25. Ewusi-Mensah, K. and Przasnyski, K. (1991) Information systems project abandonment: An exploratory study of organizational practice. MIS Quarterly 15 (1): 67–88.CrossRefGoogle Scholar
  26. Glaser, B.G. and Strauss, A.L. (1967) Basics of Grounded Theory Analysis. Mill Valley, CA: Sociology Press.Google Scholar
  27. Guadagnoli, E and Velicer, W.F. (1988) Relation of sample size to the stability of component patterns. Psycholigical Bulletin 103 (2): 265–275.CrossRefGoogle Scholar
  28. Han, W.M. and Huang, S.-J. (2007) Empirical analysis of risk components of software projects. Journal of Systems and Software 80 (1): 42–50.CrossRefGoogle Scholar
  29. Handy, C. (1994) The Empty Raincoat: Making Sense of the Future. London: Hutchinson.Google Scholar
  30. Handy, C. (1995) The Age of Unreason. New Thinking for a New World. London: Random House.Google Scholar
  31. Heemstra, F.J. and Kusters, R.J. (1996) Dealing with risk: A practical approach. Journal of Information Technology 11 (4): 333–346.CrossRefGoogle Scholar
  32. Henderson-Sellers, B. and Edwards, J.M. (1990) The object-orientated systems life cycle. Communications of the ACM 33 (9): 142–159.CrossRefGoogle Scholar
  33. Jackson, W. (2002) Poverty and agricultural policies: We ain’t winnin’ because the old dominant idea has a way of reasserting itself. Population and Environment 24 (1): 55–67.CrossRefGoogle Scholar
  34. Jiang, J. and Klein, G. (2000) Software development risks to project effectiveness. Journal of Systems and Software 52 (1): 3–10.CrossRefGoogle Scholar
  35. Kaiser, H.F. (1960) The application of electronic computers to factor analysis. Educational and Psychological Measurement 20 (1): 141–151.CrossRefGoogle Scholar
  36. Kass, R.A. and Tinsley, H.E.A. (1979) Factor analysis. Journal of Leisure Research 11 (2): 120–138.Google Scholar
  37. Keil, M. and Mann, J. (1997) The nature and extent of IT project escalation: Results from a survey of IS audit and control professional. IS Audit Control Journal 1: 40–48.Google Scholar
  38. Keil, M., Li, L., Mathiassen, L. and Zheng, G. (2008) The influence of checklists and roles on software practitioner risk perception and decision-making. The Journal of Systems and Software 81 (6): 908–919.CrossRefGoogle Scholar
  39. Keil, M., Tiwana, A. and Bush, A. (2002) Reconciling user and project manager perceptions of IT project risk: A Delphi study. Information Systems Journal 12 (2): 103–119.CrossRefGoogle Scholar
  40. Keil, M., Wallace, L., Turk, D., Dixon-Randall, G. and Nulden, U. (2000) An investigation of risk perception and risk propensity on the decision to continue a software development project. Journal of Systems and Software 53 (2): 145–157.CrossRefGoogle Scholar
  41. Ketchen, D.J. and Shook, C.L. (1996) The application of cluster analysis in strategic management research: An analysis and critique. Strategic Management Journal 17 (6): 441–458.CrossRefGoogle Scholar
  42. KPMG (2005) Global IT Project Management Survey. Australia: KPMG.Google Scholar
  43. Kumar, R.L. (2002) Managing risks in IT projects: An options perspective. Information and Management 40 (1): 53–74.CrossRefGoogle Scholar
  44. Kuruppuarachchi, P.R., Mandal, P. and Smith, R. (2002) IT project implementation strategies for effective changes: A critical review. Logistics Information Management 15 (2): 126–137.CrossRefGoogle Scholar
  45. Larman, C. and Basili, V.R. (2003) Iterative and incremental development: A brief history. IEEE Computer 36 (6): 47–56.CrossRefGoogle Scholar
  46. Linberg, K.R. (1999) Software developer perceptions about software project failure: A case study. Journal of System and Software 49 (2): 177–192.CrossRefGoogle Scholar
  47. Liu, S., Zhang, J., Keil, M. and Chen, T. (2010) Comparing senior executive and project manager perceptions of IT project risk: A Chinese Delphi study. Information Systems Journal 20 (4): 319–355.CrossRefGoogle Scholar
  48. Lopes, M. and Flavell, M. (1998) Project appraisal – A framework to assess non-financial aspects of projects during the project life cycle. International Journal of Project Management 16 (4): 223–233.CrossRefGoogle Scholar
  49. Macher, J.T. and Mowery, D.C. (2009) Measuring dynamic capabilities: Practices and performance in semiconductor manufacturing. British Journal of Management 20 (s1): S41–S62.CrossRefGoogle Scholar
  50. Mahaney, R.C. and Lederer, A.L. (2010) The role of monitoring and shirking in information systems project management. International Journal of Project Management 28 (1): 14–25.CrossRefGoogle Scholar
  51. Mata, F.J., Fuerst, W.L. and Barney, J.B. (1995) Information technology and sustained competitive advantage: A resource-based analysis. MIS Quarterly 19 (4): 487–505.CrossRefGoogle Scholar
  52. McFarlan, F.W. (1981) Portfolio approach to information systems. Harvard Business Review 59 (5): 142–150.Google Scholar
  53. Melville, N., Kraemer, K. and Gurbuxani, V. (2004) Review: IT and organizational performance: An integrative model of IT business value. MIS Quarterly 28 (2): 283–322.Google Scholar
  54. Meredith, J.R. and Mantel, S.J. (2002) Project Management. A Managerial Approach. 5th edn. Hoboken, NJ: Wiley Text Books.Google Scholar
  55. Na, K.-S., Simpson, J.T., Li, X. and Singh, T. (2007) Software development risk and project performance measurement: Evidence in Korea. Journal of Systems and Software 80 (4): 596–605.CrossRefGoogle Scholar
  56. Palomo, J., Insua, D.R. and Ruggeri, F. (2007) Modeling external risks in project management. Risk Analysis 27 (4): 961–978.CrossRefGoogle Scholar
  57. Perrow, C. (1984) Normal Accidents. New York: Basic Books.Google Scholar
  58. PMI (2004) A Guide to the Project Management Body of Knowledge, 3rd edn. Project Management Institute.Google Scholar
  59. Procaccino, J.D., Verner, J.M., Shelfer, K.M. and Gefen, D. (2005) What do software practitioner’s really think about project success: An exploratory study. Journal of Systems and Software 78 (2): 194–203.CrossRefGoogle Scholar
  60. Reason, J.T. (1997) Managing the Risks of Organizational Accidents. Aldershot, UK: Ashgate.Google Scholar
  61. Reel, J.S. (1999) Critical success factors in software projects. IEEE Software 16 (3): 18–23.CrossRefGoogle Scholar
  62. Rietveld, T. and van Hout, R. (1993) Statistical Techniques for the Study of Language and Language Behaviour. The Hague, The Netherlands: De Gruyter Mouton.CrossRefGoogle Scholar
  63. Ropponen, J. and Lyytinen, K. (2000) Components of software development risk: How to address them? A project manager survey. IEEE Transactions on Software Engineering 26 (2): 98–112.CrossRefGoogle Scholar
  64. Royce, W. (1970) Managing the development of large software systems, Proceedings of IEEE WESCON 26 August: 1–9,, accessed 28 August 2009.
  65. Rubinstein, D. (2007) Standish group report: There’s less development chaos today. Software Development Times 169 (1): 1–2.Google Scholar
  66. Sauer, C. and Cuthbertson, C. (2003) The state of IT project management in the UK, Computer Weekly 15 April.Google Scholar
  67. Sauer, C., Gemino, A. and Reich, B.H. (2007) The impact of size and volatility on IT project performance. Communications of the ACM 50 (10): 79–84.CrossRefGoogle Scholar
  68. Schmidt, R., Lyytinen, K., Keil, M. and Cule, P. (2001) Identifying software project risks: An international Delphi study. Journal of Management Information Systems 17 (4): 5–36.Google Scholar
  69. Seidl, D. (2007) The dark side of knowledge. Emergence: Complexity & Organization 9 (3): 16–29.Google Scholar
  70. Seyedhoseini, S.M., Noori, S. and Hatefi, M.A. (2009) An integrated methodology for assessment and selection of the project risk response actions. Risk Analysis 29 (5): 752–763.CrossRefGoogle Scholar
  71. Sherer, S.A. and Alter, S. (2004) Information system risk and risk factors: Are they mostly about information systems? Communications of the Association for Information Systems 14 (2): 29–64.Google Scholar
  72. Shih-Chieh Su, J., Chan, C.-L., Yu-Chin Liu, J. and Chen, H.-G. (2008) The impact of user review on software responsiveness: Moderating requirements uncertainty. Information and Management 45 (4): 203–210.CrossRefGoogle Scholar
  73. Smith, D. (1995) The dark side of excellence: Managing strategic failures. In: J. Thompson (ed.) Handbook of Strategic Management. London: Butterworth-Heinemann, pp. 161–191.Google Scholar
  74. Suddaby, R. (2006) What grounded theory is not. Academy of Management Journal 48 (4): 533–642.Google Scholar
  75. Sumner, M. (2000) Risk factors in enterprise-wide/ERP projects. Journal of Information Technology 15 (4): 317–327.CrossRefGoogle Scholar
  76. Sutton, R.I. and Staw, B.M. (1995) What theory is not. Administrative Science Quarterly 40 (3): 371–384.CrossRefGoogle Scholar
  77. Tbachnick, B.G. and Fidell, L.S. (2007) Using Multivariate Statistics, 4th edn. Boston, MA: Allyn & Bacon.Google Scholar
  78. Tesch, D., Kloppenborg, T.J. and Frolick, M.N. (2007) IT project risk factors: The Project management professionals perspective. Journal of Computer Information Systems 47 (4): 61–69.Google Scholar
  79. Turner, B.A. (1994) The causes of disaster: Sloppy management. British Journal of Management 5 (3): 215–219.CrossRefGoogle Scholar
  80. Van Maanen, J. (1989) Some notes on the importance of writing in organization studies. Harvard Business School Research Colloquium. Boston, Harvard, pp. 27–33.Google Scholar
  81. Wallace, L. and Keil, M. (2004) Software project risks and their effect on outcomes. Communications of the ACM 47 (4): 68–73.CrossRefGoogle Scholar
  82. Wallace, L., Keil, M. and Rai, A. (2004) How software project risk affects project performance: An investigation of the dimensions of risk and exploratory model. Decision Sciences 35 (2): 289–321.CrossRefGoogle Scholar
  83. Yetton, P., Martin, A., Sharma, R. and Johnston, K. (2000) A model of information systems development project performance. Information Systems Journal 10 (4): 263–289.CrossRefGoogle Scholar
  84. Yu, J., Xu, B. and Hu, H. (2007) Towards Capability Maturity in Software Review. Computer Software and Applications Conference, 2007. COMPSAC 2007. 31st Annual International, 1, Beijing: IEEE. pp. 629–630.Google Scholar

Copyright information

© Palgrave Macmillan, a division of Macmillan Publishers Ltd 2014

Authors and Affiliations

  • David Brookfield
    • 1
  • Denis Fischbacher-Smith
    • 2
  • Faizul Mohd-Rahim
    • 3
  • Halim Boussabaine
    • 4
  1. 1.Management School, University of LiverpoolLiverpoolUK
  2. 2.Adam Smith Business School, University of GlasgowGlasgowUK
  3. 3.University of MalayaKuala LumpurMalaysia
  4. 4.School of Architecture, University of LiverpoolLiverpoolUK

Personalised recommendations