Comprehensive Analysis of IS/IT Project Risk Management Strategies

Verified

Added on 2023/06/07

AI Summary

This report provides a comprehensive analysis of IT project risk management, emphasizing its critical role in organizational success. It explores the nature of IT projects, their inherent risks, and the potential for failure due to factors like unrealistic goals and inadequate risk management. The report details the iterative process of IT risk management, encompassing risk identification, assessment (both qualitative and quantitative), response planning, and monitoring. It examines various approaches to risk management, including the management, contingency, and evaluation approaches, highlighting the importance of user participation and the use of multi-method research designs. The report also discusses the application of fuzzy methods and concludes by reiterating the significance of effective risk management in mitigating negative impacts and ensuring project success. The report references various research papers and scholarly articles to support its arguments and findings.

IS/ IT project risk management
Name:
Source:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1
The risk events represent a high critical issue in organizations, they should be carefully managed
because they are likely to impact the organization's reputation and result in increased costs
(Eckert 2017). The information technology (IT) projects involve high-risk activities, they are
complex by nature and high potential to fail. According to Barros et al. (2004), as cited in Neves
et al. (2014), many IT projects require resources more than planned, need a long time and the
quality of their output is lower than expected. Researchers believe that the IT projects fail due to
setting unrealistic goals, failure to determine the accurate system requirements and resources and
not managing risk (Neves et al. 2014).
Risk management represents a crucial issue for business companies and between the business
organizations and for individuals. Its importance increases because of the emergence of the cloud
computing, the internet of things and its connection with the mobile devices (Barafort, Mesquida
& Mas 2017).
The IT projects failure still occur despite the organization's efforts to manage the risk of failure
by investing money, time and efforts. The IT risk management is a challenging process, this
argument is supported by many researchers as Ramos and Mota (2014), Bannerman (2008) and
Rodriguez-Repiso et al. (2007), as cited in Javani & Rwelamila (2016). On the contrary, the risk
management process is very important for the effective delivery of an IT project, it represents the
major reason for the project failure. The problem occurs because of the failure of the IT project
managers who are unable to meet the specified goals (Neves et al. 2014).
Risk management is about decreasing the probable negative impact of the project activities.
Brandas et al., (2012), as cited in Javani & Rwelamila (2016), argues that the IT risk
management process is iterative. It goes through sequential stages starting with the identification
of the risk, qualitative and quantitative risk analysis, assessment and response that involve,

2
planning and monitoring and evaluation of the risk activities through the project lifecycle. It is
recommended that organizations implement a formal and proactive process of risk assessment
through the IT project lifecycle. It is likely to assure effective and efficient resource management
and risk control. The process of IT project risk assessment could be discussed according to
Shneorson, Hanson & Caudle (2011), as follows:
 Risk identification: It involves a clear and accurate identification and good documentation of
the risk events throughout the IT project lifecycle. It requires iterative and continuous
processes of identification. Although, it could be challenging for the project managers.
 Risk assessment: It should be done based on the results of risk analysis. Accuracy is required
to be able to establish the appropriate time frame, implications and frequency of occurrence.
 Risk response planning: The managerial action towards risk represents the starting point of
providing a solution and tracking the sources of risk. Developing a response planning to the
known risks enables tracking the threats by size and impact.
 Risk monitoring: Monitoring the risk activities implies adjustment to the risk response
planning according to the new sequences that occur during the project lifecycle.
The evaluation approach is useful in revealing the potential causes of the IT project failure. The
risk factors could be new or known, both require to be managed, although knowing them is not
enough to guarantee the project success. The risk management in IT projects according to the
management approach view, depends on the process of rational decision making. It requires
information collection and analysis to develop an informed decision making. De Bakker et al.
(2009), as cited in Javani & Rwelamila (2016), argue that this approach only considers the
specific situations that keep the project performing. Conversely, scholars deny the management
approach capability of managing all of the risk assumptions. From another side, the empirical

3
research argues that risk management in the IT projects can reduce the negative impact of the
risk.
The contingency approach concerns the relationship between the project success and the risk
management. Researchers who agree with the assumption of this approach believe that project
success is a function of its ability to deal with the uncertainties in the project environment. This
approach requires managers to conduct environmental scanning on a regular basis to be able to
adapt to them and anticipate the new sources of risk before they take place.
The evaluation approach aims at revealing the real causes of IT project failure. It argues that
knowing the causes of the risks enables the manager to manage them effectively and results in a
positive impact on the outcomes of the project (De Bakker, Boonstra & Wortmann 2010). This
approach is similar to the management approach because it requires using information about the
type of risks and the causes of the project failure. Also, this information could be utilized in the
future project based on the successful risk management practices.
The theory of user participation in the information systems development (ISD) has investigated
the user engagement in the process of information system (IS) planning, designing and
implementation. It requires users' involvement in the performance of activities, relations and
responsibilities of developing IS. This theory complements with the system quality theory, which
assumes that user participation in the ISD increases the awareness of the system developer about
the user's needs that increases the potential of the project success. In addition, the buy-in theory
of user involvement in the ISD process relates between the user acceptance and his psychological
involvement that occurs during their involvement. The users are able to find out the weaknesses
of the IS and allow the developer to manage them before the real implementation of the IS
(Spears & Barki 2010).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4
The risk analysis method either quantitative or qualitative represents a systematic process that
guides the activities of risk management through data collection and evaluation. The risk
quantification is about threats identification according to the level of the risk. It involves risk
analysis and risk evaluation. According to Aloini, Dulmin & Mininno (2012), risk analysis is
used as an input to risk evaluation in order to formulate the best risk response plan. It examines
the interdependency between the factors of analysis, the potential effects and their severity. Risk
evaluation defines the risk categories depending on the algorithm of effective risk aggregation
(Asosheh, Nalchigar & Jamporazmey 2010).
The quantitative risk assessment methods use statistical and mathematical tools. These methods
require a large amount of data, including the asset values, safeguard effectiveness and costs and
threat frequency. Good quality of data should be maintained to estimate the risk probability of
occurrence accurately. The qualitative risk analysis depends on judgments, experience and
intuition. It is more flexible than using the quantitative methods of analysis because the
probabilities are assigned in an easier judgmental way. The qualitative methods are subjective,
which represents the major disadvantage of using them (Lo & Chen 2012).
The risk assessment in IT projects requires using analysis techniques that could be quantitative,
qualitative or a combination between them. According to Bannerman (2008), as cited in Javani &
Rwelamila (2016), 17 IT projects in the public sector used qualitative risk analysis. this argument
is compatible with Besner and Hobbs argument. They assume that the IT project risk assessment
does not require the quantitative analysis because it does not depend on the probability analysis
due to lack of information. Although, managers of the IT projects overestimate the importance of
the quantitative risk analysis.

5
The qualitative analysis uses an impact matrix analysis that ranks the risks according to a
predefined scale. The risk probability yields scoring that reflects the risk of occurrence and the
perceived impact on the project success. The qualitative method of analysis is categorical, it
involves the decision tree analysis, sensitivity analysis, modeling and simulation. On contrary,
Voetsch et al. (2004), as cited in Javani & Rwelamila (2016), argue that IT project managers
rarely conduct a risk analysis.
The qualitative methods provide good results under the uncertainty conditions. They use a
process model that explains the events contributing to a specific outcome. The multi-method
research design or the pluralist method is a combination of methods of data collection and
analysis. It is preferred by some researchers because it provides a richer analysis of the risk
assessment concepts and outcomes. It uses the results of the qualitative analysis to formulate the
research hypotheses. These hypotheses are then to be used in the quantitative methods of
analysis in testing the theoretical model. The design of the multi-method is vital in strengthening
the results of the risk analysis (Spears & Barki 2010).
The combination of quantitative and qualitative data analyses enables the examination of the
relationship between two dimensions of agile development of software. It enables controlling the
time, cost and software functionality. This method is very complex, it requires tradeoffs between
the response efficiency and extensiveness (Lee & Xia 2010)
Also, the fuzzy methods are used in research to provide an estimation for the risk elements. The
probability of threats and the impact of the results under the conditions of uncertainty and
incomplete information are used to make the fuzzy analysis. This method is advantaged for its
elimination of the subjective judgment (Alhawari, Karadsheh & Mansour 2012).

6
In conclusion, The IT projects failure still occur despite the organization's efforts to manage the
risk of failure by investing money, time and efforts. Risk management is about decreasing the
probable negative impact of the project activities. The risk analysis method either quantitative or
qualitative in the IT projects represents a systematic process that guides the activities of risk
management through data collection and evaluation. The combination of quantitative and
qualitative data analyses enables controlling the time, cost and software functionality.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
References
Alhawari, S, Karadsheh, L & Mansour, E 2012, 'Knowledge-Based Risk Management
framework for Information Technology project', International Journal of Information
Management, vol 32, pp. 50– 65.
Aloini, D, Dulmin, R & Mininno, V 2012, 'Risk assessment in ERP projects', Information
Systems, vol 37, pp. 183–199.
Asosheh, A, Nalchigar, S & Jamporazmey, M 2010, 'Information technology project evaluation:
An integrated data envelopment analysis and balanced scorecard approach', Expert Systems with
Applications, vol 37, pp. 5931–5938.
Barafort, B, Mesquida, A & Mas, A 2017, 'Integrating risk management in IT settings from ISO
standards and management systems perspectives', Computer Standards & Interfaces, vol 54, pp.
176–185.
De Bakker, K, Boonstra, A & Wortmann, H 2010, 'Does risk management contribute to IT
project success? A meta-analysis of empirical evidence', International Journal of Project
Management, vol 28, pp. 493–503.
Eckert, C 2017, 'Corporate reputation and reputation risk: Definition and measurement from a
(risk) management perspective', The Journal of Risk Finance, vol 18, no. 2, pp. 145-158.
Javani, B & Rwelamila, P 2016, 'Risk management in IT projects – a case of the South African
public sector', International Journal of Managing Projects in Business, vol 9, no. 2, pp. 389-413.
Lee, G & Xia, W 2010, 'Toward agile: An integrated analysis of quantitative and qualitative field
data on software development agility', MIS Quarterly, vol 34, no. 1, pp. 87-114.

8
Lo, C & Chen, W 2012, 'A hybrid information security risk assessment procedure considering
interdependences between controls', Expert Systems with Applications, vol 39, pp. 247–257.
Neves, S, Da Silva, C, Salomon, V, Da Silva, A & Sotomonte, B 2014, 'Risk management in
software projects through knowledge management techniques: Cases in Brazilian incubated
technology-based Firms', International Journal of Project Management, vol 32, pp. 125–138.
Shneorson, O, Hanson, J & Caudle, C 2011, 'Management of information technology risk using
virtual infrastructure', United States Patent, USA.
Spears, J & Barki, H 2010, 'User participation in information systems security risk management',
MIS Quarterly, vol 34, no. 3, pp. 503-522.