Abstract
The gap between research and practice is strikingly evident in the area of information technology (IT) project risk management. In spite of extensive research for over 30 years into IT project risk factors resulting in normative guidance on IT project risk management, adoption of these risk management methods in practice is inconsistent. Managing risk in IT projects remains a key challenge for many organizations. We discuss barriers to the application of normative prescriptions, such as assessments of probability and impact of risk, and suggest a contingency approach, which addresses the uncertainties, complexities, and ambiguities of IT projects and enables early identification of high-risk projects. Specifically, in a case study, we examine how the project management office (PMO) at one organization has bridged the gap between research and practice, developing a contingency-based risk assessment process well founded on research knowledge of project dimensions related to project performance, while also being practical in its implementation. The PMO's risk assessment process, and the risk spider chart that is the primary tool in this assessment, has proven to be effective for surfacing inherent risk at the early stages of IT projects, thereby enabling the recommendation of appropriate management strategies. The PMO's project risk assessment process is a model for other organizations striving to engage in effective and collaborative practices in order to improve project outcomes. The case illustrates the importance of considering the practical constraints of the context of application in order to transform research findings into practices that promote attainment of desired outcomes.
Similar content being viewed by others
References
Addison, T. and Vallabh, S. (2002). Controlling Software Project Risks – An Empirical Study of Methods Used by Experienced Project Managers, in Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists (SAICSIT) (Port Elizabeth, South Africa, 16–18 September).
Alter, S. and Ginzberg, M. (1978). Managing Uncertainty in MIS Implementation, Sloan Management Review 20 (1): 23–31.
Association for Project Management. (2006). APM Body of Knowledge, 5th edn, London: Association for Project Management.
Bannerman, P.L. (2008). Risk and Risk Management in Software Projects: A reassessment, Journal of Systems and Software 81 (12): 2118–2133.
Barki, H., Rivard, S. and Talbot, J. (1993). Toward an Assessment of Software Development Risk, Journal of Management Information Systems 10 (2): 203–225.
Barki, H., Rivard, S. and Talbot, J. (2001). An Integrative Contingency Model of Software Project Risk Management, Journal of Management Information Systems 17 (4): 37–69.
Benbasat, I. and Zmud, R.W. (1999). Empirical Research in Information Systems: The practice of relevance, MIS Quarterly 23 (1): 3–16.
Boehm, B.W. (1973). Software and its Impact: A quantitative assessment, Datamation 19 (5): 48–59.
Boehm, B.W. (1983). Seven Basic Principles of Software Engineering, Journal of Systems and Software 3 (1): 3–24.
Boehm, B.W. (1991). Software Risk Management: Principles and practices, IEEE Software 8 (1): 32–41.
Boehm, B.W. and Turner, R. (2004). Balancing Agility and Discipline: A guide for the perplexed, Boston: Addison-Wesley.
Brooks Jr., F.P. (1974). Mythical Man-Month, Datamation 20 (12): 44–52.
Charette, R.N. (1996). The Mechanics of Managing IT Risk, Journal of Information Technology 11 (4): 373–378.
Creswell, J.W. (2008). Educational Research: Planning, conducting and evaluating quantitative and qualitative research, 3rd edn, Upper Saddle River, NJ: Pearson Merrill Prentice Hall.
de Bakker, K., Boonstra, A. and Wortmann, H. (2010). Does Risk Management Contribute to IT Project Success? A Meta-Analysis of Empirical Evidence, International Journal of Project Management 28 (5): 493–503.
Desforges, C. (2000). Putting Educational Research to Use Through Knowledge Transformation, Keynote lecture presented at the Further Education Research Conference (Coventry, England, 12 December).
Fairley, R. (1994). Risk Management for Software Projects, IEEE Software 11 (3): 57–67.
Heemstra, F.J. and Kusters, R.J. (1996). Dealing with Risk: A practical approach, Journal of Information Technology 11 (4): 333–346.
Herbsleb, J., Zubrow, D., Goldenson, D., Hayes, W. and Paulk, M. (1997). Software Quality and the Capability Maturity Model, Communications of the ACM 40 (6): 30–40.
Howell, D., Windahl, C. and Seidel, R. (2010). A Project Contingency Framework Based on Uncertainty and its Consequences, International Journal of Project Management 28 (3): 256–264.
Jiang, J.J., Klein, G. and Discenza, R. (2002). Pre-Project Partnering Impact on an Information System Project, Project Team and Project Manager, European Journal of Information Systems 11 (2): 86–97.
Jiang, J.J., Klein, G., Hwang, H.-G., Huang, J. and Hung, S.Y. (2004). An Exploration of the Relationship Between Software Development Process Maturity and Project Performance, Information & Management 41 (3): 29–288.
Keil, M., Cule, P., Lyytinen, K. and Schmidt, R. (1998). A Framework for Identifying Software Project Risks, Communications of the ACM 41 (11): 76–83.
Kutsch, E. and Hall, M. (2005). Intervening Conditions on the Management of Project Risk: Dealing with uncertainty in information technology projects, International Journal of Project Management 23 (8): 591–599.
Levina, N. and Vaast, E. (2005). The Emergence of Boundary Spanning Competence in Practice: Implications for implementation and use of information systems, MIS Quarterly 29 (2): 335–363.
March, J.G. and Shapira, Z. (1987). Managerial Perspectives on Risk and Risk Taking, Management Science 33 (11): 1404–1418.
Marcus, M.L. (1997). The Qualitative Difference in Information Systems Research and Practice, in A. Lee, J. Liebenau and J.I. DeGross (eds.) Information Systems and Qualitative Research, London: Chapman & Hall, pp. 11–27.
Markides, C. (2011). Crossing the Chasm: How to convert relevant research into managerially useful research, Journal of Applied Behavioral Science 47 (1): 121–134.
Martin, N.L., Pearson, J.M. and Furumo, K. (2007). IS Project Management: Size, practices and the project management office, Journal of Computer Information Systems 47 (4): 52–60.
Mathiassen, L. (2002). Collaborative Practice Research, Information Technology & People 15 (4): 321–345.
McFarlan, F.W. (1981). Portfolio Approach to Information Systems, Harvard Business Review 59 (5): 142–150.
Miles, B.M. and Huberman, A.M. (1994). Qualitative Data Analysis: An expanded sourcebook, 2nd edn, London: Sage.
Moynihan, T. (1997). How Experienced Project Managers Assess Risk, IEEE Software 14 (3): 35–41.
Nutley, S., Walter, I. and Davies, H.T.O. (2003). From Knowing to Doing: A framework for understanding the evidence-into-practice agenda, Evaluation 9 (2): 125–148.
Pablo, A.L. (1999). Managerial Risk Interpretations: Does industry make a difference? Journal of Managerial Psychology 14 (2): 92–107.
Patton, M.Q. (2002). Qualitative Research & Evaluation Methods, 3rd edn, Thousand Oaks, CA: Sage.
Pender, S. (2001). Managing Incomplete Knowledge: Why risk management is not sufficient, International Journal of Project Management 19 (2): 79–87.
Pennington, R. and Tuttle, B. (2007). The Effects of Information Overload on Software Project Risk Assessment, Decision Sciences 38 (3): 489–526.
Pfleeger, S.L. (2000). Risky Business: What we have yet to learn about risk management, Journal of Systems and Software 53 (3): 265–273.
Pich, M.T., Loch, C.H. and De Meyer, A. (2002). On Uncertainty, Ambiguity, and Complexity in Project Management, Management Science 48 (8): 1008–1023.
Pohlmann, T. (2003). How Companies Govern their IT Spending, Cambridge, MA: Forrester Research.
Powell, P.L. and Klein, J.H. (1996). Risk Management for Information Systems Development, Journal of Information Technology 11 (4): 309–319.
Project Management Institute. (2004). A Guide to the Project Management Body of Knowledge (PMBOK Guide), 3rd edn, Newton Square, PA: Project Management Institute.
Rasche, A. and Behnam, M. (2009). As if it were Relevant: A systems theoretical perspective on the relation between science and practice, Journal of Management Inquiry 18 (3): 243–255.
Raz, T., Shenhar, A. and Dvir, D. (2002). Risk Management, Project Success, and Technological Uncertainty, R & D Management 32 (2): 101–109.
Reynolds, P. and Yetton, P. (2007). Building Theory from Practice: Opportunities in IS Project Management, in AMCIS 2007 Proceedings. Paper 428, http://aisnet.org/amcis2007/428.
Sambamurthy, V. and Zmud, R.W. (1999). Arrangements for Information Technology Governance: A theory of multiple contingencies, MIS Quarterly 23 (2): 261–290.
Sauer, C., Gemino, A. and Reich, B.H. (2007). The Impact of Size and Volatility on IT Project Performance, Communications of the ACM 50 (11): 79–84.
Schmidt, R., Lyytinen, K., Keil, M. and Cule, P. (2001). Identifying Software Project Risks: An international Delphi study, Journal of Management Information Systems 17 (4): 5–36.
Shenhar, A.J. (2001). One Size Does Not Fit All Projects: Exploring classical contingency domains, Management Science 47 (3): 394–414.
Shenhar, A.J., Dvir, D., Levy, O. and Maltz, A.C. (2001). Project Success: A multidimensional strategic concept, Long Range Planning 34 (6): 699–725.
Simister, S.J. (2004). Qualitative and Quantitative Risk Management, in P.W.G. Morris and J.K. Pinto (eds.) The Wiley Guide to Managing Projects, Hokoben: John Wiley & Sons, pp. 30–47.
Sommer, S.C. and Loch, C.H. (2004). Selectionism and Learning in Projects with Complexity and Unforeseeable Uncertainty, Management Science 50 (10): 1334–1347.
Stake, R.E. (2000). Case Studies, in N.K. Denzin and Y.S. Lincoln (eds.) Handbook of Qualitative Research, Thousand Oaks, CA: Sage, pp. 435–454.
Standish Group. (2001). Extreme CHAOS, West Yarmouth, MA: Standish Group International.
Standish Group. (2005). Chaos Rising, West Yarmouth, MA: Standish Group International.
Straub, D.W. and Ang, S. (2011). Rigor and Relevance in IS Research: Redefining the debate and a call for future research, MIS Quarterly 35 (1): iii–xi.
Subramanian, G.H., Jiang, J.J. and Klein, G. (2007). Software Quality and IS Project Performance Improvements from Software Development Process Maturity and IS Implementation Strategies, Journal of Systems and Software 80 (4): 616–627.
Sumner, M. (2000). Risk Factors in Enterprise-Wide/ERP Projects, Journal of Information Technology 15 (4): 317–327.
Susman, G.I. and Evered, R.D. (1978). An Assessment of the Scientific Merits of Action Research, Administrative Science Quarterly 23 (4): 582–603.
Sussman, S.W. and Guinan, P.J. (1999). Antidotes for High Complexity and Ambiguity in Software Development, Information & Management 36 (1): 23–35.
Taylor, H. (2005). Congruence Between Risk Management Theory and Practice in Hong Kong Vendor-Driven IT Projects, International Journal of Project Management 23 (6): 437–444.
Taylor, H. (2006a). Critical Risks in Outsourced IT Projects: The intractable and the unforeseen, Communications of the ACM 49 (11): 74–79.
Taylor, H. (2006b). Risk Management and Problem Resolution Strategies for IT Projects: Prescription and practice, Project Management Journal 37 (5): 49–63.
Taylor, H. (2007). An Examination of Decision-Making in IS Projects from Rational and Naturalistic Perspectives, in ICIS 2007 Proceedings. Paper 30, http://aisle.aisnet.org/icis2007/30.
Tufte, E.R. (2001). The Visual Display of Quantitative Information, Cheshire, CT: Graphics Press.
Van de Ven, A.H. (2007). Engaged Scholarship: A guide for organizational and social research, Oxford, UK: Oxford University Press.
Voetsch, R.J., Cioffi, D.F. and Anbari, F.T. (2004). Project Risk Management Practices and their Association with Reported Project Success, Paper presented at the IRNOP VI Conference, 25–27 August, Turku, Finland.
Wallace, L. and Keil, M. (2004). Software Project Risks and their Effect on Outcomes, Communications of the ACM 47 (4): 68–73.
Wallace, L., Keil, M. and Rai, A. (2004). How Software Project Risk Affects Project Performance: An investigation of the dimensions of risk and an exploratory model, Decision Sciences 35 (2): 289–321.
Walsham, G. (2006). Doing Interpretive Research, European Journal of Information Systems 15 (3): 320–330.
Ward, S. and Chapman, C. (2003). Transforming Project Risk Management into Project Uncertainty Management, International Journal of Project Management 21 (2): 97–105.
Wolcott, H.F. (1994). Transforming Qualitative Data: Description, analysis, and interpretation, Thousand Oaks, CA: Sage.
Worren, N., Moore, K. and Elliott, R. (2002). When Theories Become Tools: Toward a framework for pragmatic validity, Human Relations 55 (10): 1227–1250.
Wysocki, R.K. (2001). Building Effective Project Teams, New York: John Wiley & Sons.
Wysocki, R.K., Beck Jr., R. and Crane, D.B. (2000). Effective Project Management, 2nd edn, New York: John Wiley & Sons.
Yin, R.K. (2009). Case Study Research: Design and methods, 4th edn, Thousand Oaks, CA: Sage.
Zmud, R.W. (1980). Management of Large Software Development Efforts, MIS Quarterly 4 (2): 45–55.
Zmud, R.W. (1998). Conducting and Publishing Practice-Driven Research, Paper presented at the IFIP Working Groups 8.2 and 8.6 Joint Working Conference on Information Systems: Current issues and future changes, 10–13 December, Helsinki, Finland.
Acknowledgements
We would like to thank the City of Seattle, Department of Information Technology Project Management Center of Excellence for their help and support in the development of this paper.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
Rights and permissions
About this article
Cite this article
Taylor, H., Artman, E. & Woelfer, J. Information technology project risk management: bridging the gap between research and practice. J Inf Technol 27, 17–34 (2012). https://doi.org/10.1057/jit.2011.29
Published:
Issue Date:
DOI: https://doi.org/10.1057/jit.2011.29