آیا مدیریت ریسک به موفقیت پروژه IT کمک می کند؟ یک فرا تحلیل از شواهد تجربی

The question whether risk management contributes to IT project success is considered relevant by people from both academic and practitioners’ communities already for a long time. This paper presents a meta-analysis of the empirical evidence that either supports or opposes the claim that risk management contributes to IT project success. In addition, this paper also investigates the validity of the assumptions on which risk management is based. The analysis leads to remarkable conclusions. Over the last 10 years, much has become known about what causes IT projects to fail. However, there is still very little empirical evidence that this knowledge is actually used in projects for managing risks in IT projects. This paper concludes with indicating new directions for research in the relation between risk management and project success. Key elements are stakeholder perception of risk and success and stakeholder behaviour in the risk management process.

Does risk management contribute to project success? This question is considered relevant by people from both academic and practitioners’ communities already for a long time. Especially in the area of Information Technology (IT), where projects have a long history of failing (The Standish Group International, 1999), there is a great deal of interest in the effects of risk management. This interest goes back as far as the 70’s with Alter and Ginzberg (1978), whose article “… suggests that the likelihood of successful MIS implementation can be increased by identifying the key uncertainties at each stage of the development process and devising strategies for coping with the range of possible results” (Alter and Ginzberg, 1978). However, as Alter and Ginzberg’s (1978) use of the word “suggest” indicates, the effects of risk management are hard to establish. The debate during the time of the millennium change, in IT circles known as the Y2K problem, is an example of the general problem that it is difficult to establish the influence of something that is meant to prevent something else from happening. During the late 90’s, large sums of money were invested to identify and repair computer software that was assumed to be unable to handle the transition from the year 1999 to 2000. When the transition actually took place, however, there were no major computer failures. The question was then asked whether it had been worth the investment (BBC News Talking Point, 2000). The debate took the form of a controversy between believers and non-believers, because it is impossible to determine what would have happened if this risk management had not been applied. With respect to the use of risk management in projects, professionals therefore state that risk management must be done because the project management handbooks say so, and it should be done in the way the handbooks prescribe it (Association for Project Management, 2006 and Project Management Institute, 2004). This normative approach is often found in relation to literature that focuses on project management in general (Turner, 1999), and on risk management in IT projects in particular (Ropponen and Lyytinen, 1997). The purpose of this paper is to structure the ongoing debate, and contribute to it by presenting a meta-analysis of empirical evidence that either supports or opposes the claim that risk management contributes to project success. This paper focuses on IT projects, projects that are aiming at the development and implementation of computer software, because the debate in this area among scientists and practitioners is vivid. First, we will deal with the various approaches to risk management in the literature on risk management in IT projects. These approaches vary among researchers, while their preference for a certain approach mostly remains implicit. Two approaches are distinguished here: an evaluation approach and a management approach. Subsequently, the concept of project success in the context of IT projects is surveyed. The traditional vendor-oriented definition of project success (Turner and Cochrane, 1993), based on time, budget and requirements criteria, is frequently used in publications that study risk management in relation to IT project success. However, due to incorrect assumptions or claims that are only valid in certain situations, this definition of project success does not fit the context of IT projects very well. Therefore, a more elaborate view on project success, as presented in the more recent literature, will be used in the remainder of this paper. Next, we will study the relation between the evaluation approach to risk management and its contribution to project success in greater detail. Recent publications are analysed to look for empirical evidence for the contribution of risk management to project success. If this evidence is found, its underpinning data and methods used are carefully investigated. After that the management approach to risk management is studied in greater detail. Attention is then given to the assumptions underpinning the two risk management approaches. The analysis leads to remarkable conclusions, which are presented in the last section of the paper. Over the last 10 years, much has become known from extensive empirical research about what causes IT projects to fail. However, there is still little empirical evidence that this knowledge is actually used and that the risks in IT projects are really manageable. An analysis of the assumptions underpinning risk management indicates that the risk management instrument may only work under very strict conditions. Therefore, more in-depth empirical work which looks inside the risk management process is necessary.

The evaluation approach as dealt with in the publications from the period 1997–2009 has provided us with new and valuable insights into the risk factors that have an impact on IT project success. Both technical risk factors and organizational risk factors, such as senior management support and user participation, are highly influential. Many of these insights are based on extensive empirical research. However, we conclude that our central question cannot be answered by using the evaluation approach to risk management as the only instrument to deal with the project success issue, because this approach focuses on finding risk factors rather than on how to manage risks. The contribution of the evaluation approach to project success therefore remains unclear. Literature indicates that knowledge of the risks alone is not enough to contribute to project success. The management approach to risk management has as yet not led to conclusive evidence either. Based on what is presented in publications from 1997 to 2009, we conclude that the empirical knowledge is still anecdotal and largely based on how risk management is assumed to work instead of how it is actually used in project practice. Considering the assumptions on which risk management is based, it is remarkable that except for Kutsch and Hall (2005), none of the authors comes to the conclusion that risk management may not work as assumed. The literature should at least have recognised that risk management is not being conducted as it should be in order to be effective, according to its basic criteria. This leads to the conclusion that risk management can only be effective in specific project situations. Following the work by Loch et al. (2006), an interesting direction for further research would be to determine these specific conditions in the context of IT projects. Furthermore, it would be interesting to combine the relation found by Cooke-Davies (2000) between risk management planning and a timely delivery of the project with the work of Weick and Sutcliffe (2007), who discuss awareness creation and attention shaping as conditions for stakeholder behaviour in uncertain situations. In this view, risk management contributes to project success, because the stakeholders are aware of the fact that there are risks, on the basis of which they adjust their expectations and behaviour accordingly. And finally, the majority of publications that relate risk management to project success refer to the traditional time–budget–requirements definition of project success. However, this approach is not in line with the view presented by other literature that project success entails more than just meeting time and budget constraints and requirements. Project stakeholders may use various project success definitions (Agarwal and Rathod, 2006). Therefore, the contribution of risk management should be considered in relation to a broader definition of project success. Future research may aim at finding answers to the questions whether and how risk management contributes to IT project success. In the meantime, based on the empirical evidence presented so far we conclude that the fact that project management practitioners pay attention to project risks is likely to have more impact on IT project success than following the steps prescribed in the risk management process.