Abstract
Risk management and ‘routine-based reliability’ is considered fundamental to project performance. Existing theories of project risk management do not fully explain why project managers stop practicing risk management information systems (IS); however, constructs drawn from organisation theory offer insights into how and why such disengagement occurs. The study examines risk management practices in 21 IS projects within 10 organisations. By focusing on risks that resulted in significant events and mapping backwards over time the practices associated with those risks, we identify that in all but five projects the manager had disengaged from prescribed risk management before executing risk responses. In most projects, the majority of formally identified and assessed risks remained unallocated and untreated. A laddering technique was used to help explain why this transpired. We found five key underlying beliefs that governed project managers’ risk management attitudes and actions.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Akintoye AS and Macleod MJ (1997) Risk analysis and management in construction. International Journal of Project Management 15 (1), 31–38.
Association For Project Management (2005) Project Management Body of Knowledge. Association for Project Management, London.
Bannerman PL (2008) Risk and risk management in software projects: a reassessment. Journal of Systems & Software 81 (12), 2118–2133.
Barki H, Rivard S and Talbot J (1993) Toward an assessment of software development risk. Journal of Management Information Systems 10 (2), 203–225.
Beierle TC (2004) The benefits and costs of disclosing information about risks: what do we know about right-to-know? Risk Analysis 24 (2), 335–346.
Bobbitt HR and Ford JD (1980) Decision-maker choice as a determinant of organizational structure. Academy of Management Review 5 (1), 13–23.
Boehm B and Ross R (1989) Theory-W software project management: principles and examples. IEEE Transactions on Software Engineering 15 (7), 902–916.
Boehm BW (1991) Software risk management: principles and practices. IEEE Software 8 (1), 32–41.
Bown NJ, Read D and Summers B (2003) The lure of choice. Journal of behavioral decision making. Journal of Behavioral Decision Making 16 (297), 308.
British Standards I (2000) Project management – Part 1: Guide to project management. British Standards Institute, London.
Butler BS and Gray PH (2006) Reliability, mindfulness, and information systems. MIS Quarterly 30 (2), 211–224.
Cerpa N and Verner JM (2009) Why did your project fail? Communications of the ACM 52 (12), 130–134.
Chapman C (1997) Project risk analysis and management – PRAM the generic process. International Journal of Project Management 15 (5), 273–281.
Chapman C and Ward S (2004) Why risk efficiency is a key aspect of best practice projects. International Journal of Project Management 22 (8), 619–632.
Chapman C, Ward S, Turner JR and Simister SJ (2000) Managing risk. In Gower Handbook of Project Management (Anonymous, Ed), Gower Publishing Limited, Aldershot.
Charette R (1996) Large-scale project management is risk management. IEEE Software 13 (4), 110–117.
Clarke L (1993) The disqualification heuristic: when do organizations misperceive risk? Research in Social Problems and Public Policy 5, 289–312.
Cleden D (2009) Managing Project Uncertainty. Gower, Farnham.
Cule P, Schmidt R, Lyytinen K and Keil M (2000) Strategies for heading off IS project failure. Information Systems Management 17 (2), 65–73.
DE Camprieu R, Desbiens J and Yang F (2007) ‘Cultural’ differences in project risk perception: an empirical comparison of China and Canada. International Journal of Project Management 25 (7), 683–693.
Dekker SWA (2005) Ten Questions About Human Error. Lawrence Earlbaum Associates, Mahwah, NJ.
Dimaggio PJ and Powell WW (1991) Introduction. In The New Institutionalism in Organizational Analysis (Powell WW and Dimaggio PJ, Eds), University of Chicago Press, Chicago.
Feldman MS and Pentland BT (2003) Reconceptualizing organizational routines as a source of flexibility and change. Administrative Science Quarterly 48 (1), 94–118.
Fischhoff B, Lichtenstein S, Slovic P, Derby SL and Keeney RL (1981) Acceptable Risk. Cambridge University Press, Cambridge.
Flanagan JC (1954) The critical incident technique. Psychological Bulletin 51 (4), 327–358.
Gabriel E (1997) The lean approach to project management. International Journal of Project Management 15 (4), 205.
Gibson CF (2003) IT-enabled business change: an approach to understanding and managing risk. MIS Quarterly 2 (2), 104–115.
Glover S (2004) Separate visual representations in the planning and control of action. Behavioral and Brain Sciences 27, 3–78.
Granovetter M (1973) The strength of weak ties. American Journal of Sociology 78 (6), 1360–1380.
Hale AR, Singleton WT and Hovden J (1987) Subjective risk. In Risk and Decisions (Anonymous, Ed), John Wiley & Sons, Chichester.
Hofmann HF and Lehner F (2001) Requirements engineering as a success factor in software projects. IEEE Software 18 (4), 58.
Hollnagel E (2006) Resilience – the challenge of the unstable. In Resilience Engineering: Concepts and Precepts (Hollnagel E, Woods DD and Leveson N, Eds), Ashgate, Aldershot.
Hopkins A (Ed) (2009) Learning from High Reliability Organisations. CCH Australia, Sydney.
Jaafari A (2001) Management of risks, uncertainties and opportunities on projects: time for a fundamental shift. International Journal of Project Management 19, 89–101.
Johnson J (2006) My Life is Failure. The Standish Group International, West Yarmouth.
Johnson J, Boucher KD, Connors Y and Robinson J (2001) Project management: the criteria for success. Software Magazine 21 (1), 3–11.
Keil M, Wallace L, Turk D, Dixon-Randall G and Nulden U (2000) An investigation of risk perception and risk propensity on the decision to continue a software development project. Journal of Systems and Software 53 (2), 145–157.
Kwak YH (2000) Calculating project management's return on investment. Project Management Journal 31 (2), 38.
Lam W (2004) Technical risk management on enterprise integration projects. Communications of the AIS 2004 (13), 291–316.
Lamb R and Kling R (2003) Reconceptualizing users as social actors in information systems research. MIS Quarterly 27 (2), 197–235.
Lammers J, Galinsky AD, Gordijn EH and Otten S (2008) Illegitimacy moderates the effects of power on approach. Psychological Science 19 (6), 558–564.
Langer EJ (1989) Mindfulness. Perseus Publishing, Cambridge, MA.
Langer EJ (1997) The Power of Mindful Learning. Addison-Wesley, Reading, MA.
Langley A (1999) Strategies for theorizing from process data. Academy of Management Review 24 (4), 691–710.
Lanza RB (2000) Does your project risk management system do the job? Information Strategy: The Executive’ s Journal 17 (1), 6–12.
Lapinski AR, Horman MJ and Riley DR (2006) Lean processes for sustainable project delivery. Journal of Construction Engineering & Management 132 (10), 1083–1091.
Latour B (1986) Visualization and cognition: thinking with eyes and hands. In Knowledge and Society Studies in the Sociology of Culture Past and Present (Kuklick H, Ed.), Vol. 6, pp 1–40, Jai Press, London.
Lavy I and Yadin A (2010) Team-based peer review as a form of formative assessment – the case of a systems analysis and design workshop. Journal of Information Systems Education 21 (1), 85–98.
Machlis GE and Rosa EA (1990) Desired risk: broadening the social amplification of risk framework. Risk Analysis 10 (1), 161–168.
March JG and Shapira Z (1987) Managerial perspectives on risk and risk taking. Management Science 33 (11), 1404–1419.
March JG and Simon HA (1958) Organizations. Wiley, New York.
Mark K, Paul EC, Kalle L and Roy CS (1998) A framework for identifying software project risks. Association for Computing Machinery. Communications of the ACM 41 (11), 76.
Markus LM and Mao JY (2008) Participation in development and implementation – updating an old, tired concept for today's IS contexts. Journal of AIS 5 (11), 55–72.
Mckeen JD, Guimaraes T and Wetherbe JC (1994) The relationship between user participation and user satisfaction: an investigation of four contingency factors. MIS Quarterly 18 (4), 427–451.
Miles MB and Huberman MA (1994) Qualitative Data Analysis. SAGE Publications Ltd, London.
Mitchell VW and Boustani P (1994) A preliminary investigation into pre- and post-purchase risk perception and reduction. European Journal of Marketing 28 (1), 56–71.
Nelson RR (2007) IT project management: infamous failures, classic mistakes, and best practices. MIS Quarterly Executive 6 (2), 67–78.
Packendorff J (1995) Inquiring into the temporary organisation: new directions for project management research. International Journal of Project Management 11 (4), 319–333.
Peltokorpi V (2008) Synthesising the paradox of organisational routine flexibility and stability: a processual view. International Journal of Technology Management 41 (1/2), 7–21.
Pentland BT and Reuter HH (1994) Organizational routines as grammars of action. Administrative Science Quarterly 39 (3), 484–510.
Project Management Institute (2008) A Guide to the Project Management Body of Knowledge. Project Management Institute, Pennsylvania.
Raftery J (1994) Risk Analysis in Project Management. Chapman & Hall, London.
Raz T and Michael E (2001) Use and benefit of tools for project management. International Journal of Project Management 19 (1), 9–17.
Ropponen J (1999) Software Risk Management: Foundations, Principles and Empirical Findings. University Printing House, Jyvaskyla.
Ropponen J and Lyytinen K (1997) Can software risk management improve system development: an exploratory study. European Journal of Information Systems 6 (1), 41.
Schmidt R, Lyytinen K, Keil M and Cule P (2001) Identifying software project risks: an international delphi study. Journal of Management Information Systems 17 (4), 5–36.
Schwalbe K (2002) Information Technology Project Management. Thomson Learning, Scarborough.
Shafir E, Simonson I and Tversky A (1993) Reason-based choice. Cognition 49 (1–2), 11–36.
Shehu Z and Akintoye A (2010) Major challenges to the successful implementation and practice of programme management in the construction environment: a critical analysis. International Journal of Project Management 28 (1), 26–39.
Slovic P, Fischhoff B, Lichtenstein S, Schwing RC and Albers WA (1980) Facts and fears: understanding perceived risk. In Societal Risk Assessment (Anonymous, Ed), Plenum Press, New York.
Smallman C (1996) Challenging the orthodoxy in risk management. Safety Science 22 (1–3), 245–262.
Snook SA (2000) Friendly fire: The Accidental Shootdown of U.S. Black Hawks Over Northern Iraq. Princeton University Press, Oxford.
Starbuck WH and Milliken FJ (1988) Challenger: fine-tuning the odds until something breaks. Journal of Management Studies 25 (4), 319–340.
Taylor H (2006) Critical risks in outsourced it projects: the intractable and the unforeseen. Communications of the ACM 49 (11), 75–79.
Tsoukas H and Chia R (2002) On organizational becoming: rethinking organizational change. Organization Science 13 (5), 567–582.
Van Rekom J, Van Riel CBM and Wierenga B (2006) A methodology for assessing organizational core values. Journal of Management Studies 43 (2), 175–201.
Vaughan D (1996) The Challenger Launch Decision: Risk Technology, Culture, and Deviance at NASA. University of Chicago Press, Chicago.
Weick K and Sutcliffe K (2001) Managing the Unexpected: Assuring High Performance in an Age of Complexity. Jossey Bass, San Francisco.
Weick KE and Quinn RE (1999) Organizational change and development. Annual Review of Pyschology 50 (1), 361–388.
Weick KE and Roberts KH (1993) Collective mind in organizations: heedful interrelating on flight decks. Administrative Science Quarterly 38 (3), 357–381.
White MP, Pahl S, Buehner M and Haye A (2003) Trust in risky messages: the role of prior attitudes. Risk Analysis 23 (4), 717–726.
Whittaker B (1999) What went wrong? unsuccessful information technology projects. Information Management & Computer Security 7 (1), 23–29.
Wildavsky A and Dake A (2002) Theories of risk perception: who fears what and why? Daedalus 129 (4), 41–60.
Willcocks LP and Grifiths C (Eds) (1997) Management and Risk in Major Technology Projects. McGraw-Hill, Berkshire.
Williams TM (2005) Assessing and moving on from the dominant project management discourse in the light of project overruns. IEEE Transactions on Engineering Management 52 (4), 497–508.
Woods DD and Hollnagel E (2006) Prologue: resilience engineering concepts. In Resilience Engineering: Concepts and Precepts (Hollnagel E, Woods DD and Leveson N, Eds), Ashgate, Aldershot.
Yang B, Burns ND and Backhouse CJ (2004) Management of uncertainty through postponement. International Journal of Production Research 42 (6), 1049–1064.
Acknowledgements
The authors would like to thank Professor John Ward for his valuable comments and support.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kutsch, E., Denyer, D., Hall, M. et al. Does risk matter? Disengagement from risk management practices in information systems projects. Eur J Inf Syst 22, 637–649 (2013). https://doi.org/10.1057/ejis.2012.6
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/ejis.2012.6