RISK MANAGEMENT IN INFORMATION TECHNOLOGY PROJECT:

AN EMPIRICAL STUDY

Kornelius Irfandhi

Master of Information Technology, Binus Graduate Program, Bina Nusantara University,

Jl. Kebon Jeruk Raya No. 27, Kebon Jeruk, Jakarta Barat, 11530
[email protected]

ABSTRACT

The companies are facing some risks due to changes in a dynamic environment. If risks are not
managed properly, it will have some negative impacts on the companies at the present and the future. One
important function of the Information Technology (IT) governance is risk management. Risk management in IT
project aims to provide a safe environment for IT projects undertaken. Risk management becomes an important
process for the success of IT projects. This article discussed the risk of IT project and whether there was a
relationship between risk management and the success of the project. The method used was performing a
literature review of several scientific articles which published between 2010 and 2014. The results of this study
are the presence of risk management and risk manager influence the success of the project. Risk analysis and
risk monitoring and control also have a relationship with the subjective performance of IT projects. If risk
management is applied properly, the chance of the success of the projects undertaken can be increased.

Keywords: risk, risk management, IT project

INTRODUCTION

The companies are facing some risks due to changes in a dynamic environment.It allows
emerging new risks, both derived from the internal environment or the external environment of the
company. If the risks are not managed properly, it will bring the negative impacts on the company's
present and future (Talet, Mat-Zin, & Houari, 2014).

One of the important functions of Information Technology (IT) is the governance of risk
management. Risk management has been applied in various fields, one of which is an IT project. Risk
management in IT project aims to provide a safe environment for IT projects. IT projects generally
have a high level of risk. Risks are encountered in the financial risk. However, the risks that might
occur in the implementation of IT projects not only the risks associated with the financial aspects, but
also all conditions of uncertainty that may impact negatively or positively on the project objectives,
including time, cost, scope of the project, or the quality of the project results (Talet, Mat-Zin, &
Houari, 2014).

Risk management becomes an important process for the success of the IT project. Risk
management provides significant benefits for companies, projects, and stakeholders associated with
the implementation of the project. It can not be achieved without the introduction of the importance of
risk management at every level of the business. Risk management becomes a management tool that is
important for a project manager to increase the chance of success of the projects (Didraga, 2013) and
can be moved more quickly to resolve the issue before the risk becomes a major problem that could
threaten the project objectives (Talet, Mat-Zin, & Houari, 2014).

Risk Management in Information … (Kornelius Irfandhi) 191 

 IT projects are characterized by a high level of risk and can have different risk management
approaches. Many literatures from the published articles between 2010 and 2014 shown that many
researchers have discussed the risk of IT project, any approaches for IT project risk management, and
whether there is a relationship between risk management and the success of IT project. The author will
compile the findings based on the result of the literature review in this empirical study.

Sharif, Basir, and Ali (2014) in their article said that the risk is generally defined as the
possibility of loss that describes the impact of the project, could be the poor quality of the software,
increased costs, failure, or pending completion. Risk can be reduced, managed, and maintained in
accordance with the planning and assessment.

The study which is conducted by Chawan, Patil, and Naik (2013) found that the risk can be
grouped into three categories, namely: (1) known risks that can be found after assessing project plans,
environmental technology, and other trusted resources carefully, such as unrealistic delivery time,
there is no demand and software bundle. (2) Unknown risks that might actually appear, but it is very
difficult to be identified first. (3) Predicted risks that can be inferred from previous experiences, such
as personnel adjustments and there is no communication with the customers.

The risks are associated with the events that can be identified which will have a negative
impact. The uncertainties are related to the source of the risks that may impact negatively or
positively. Risks must contain two elements, namely uncertainty and loss (Talet, Mat-Zin, & Houari,
2014).

The level of uncertainty of the project becomes an important dimension in the context of the
implementation of the project. A major source of uncertainty in the IT project is about the scope or the
project specifications. The study which is conducted by Thakurta (2014) provides uncertainty into four
categories, namely: (1) variation refers to the many influences that produce a wide range of
possibilities for a range of values on a project. For example, the variation of duration of the specific
project takes between 10 to 15 days. If the changes are made, then the duration of the project will also
change. (2) Foreseen uncertainty refers to all the uncertainties that have been previously identified that
may or may not occur during the implementation of the project. (3) Unforeseen uncertainty refers to
all the uncertainties that can not be identified during the project planning. (4) Chaos refers to the
uncertainty of the project because the projectsdo not have the definite basic structure plan so that the
project’s outcomes different from the original intent of the project.

Talet, Mat-Zin, and Houari (2014) said that risk management on the project is used to manage
the project risks. Risk management is generally regarded as a way to reduce the uncertainty and the
impact of uncertainty, thus increasing the chance of the success of the project. Risk management aims
to prevent or reduce the impact of the risk.

Most of the projects or businesses are in a dynamic environment (can be changed) that may
impact negatively on the success of the project. The project is to be successful if the project was done
and meet the requirements which are specified by the stakeholders, such as security, efficiency,
reliability, manageable, capabilities, integration, and other requirements. A literature review which is
conducted by Talet, Mat-Zin, and Houari (2014) said that 35% of quite projects are not unnecessary
until the project implementation stage. This means that project managers do a poor job of identifying
projects or terminating projects that are likely to fail because of the risks faced during the project life
cycle.

The concept of risk management is applied in all aspects of the business, including planning
and project risk management. Before discussing the concepts of risk management more deeply, need
to know first about the definition of the threat and vulnerability. Threats can be defined as unwanted
incidents on the system or organization that can damage the assets owned by system or organization.

192   ComTech Vol. 7 No. 3 September 2016: 191-199 

Vulnerabilities are weaknesses in procedure, architecture, and implementation of the system and other
causes that can be used to exploit the security systems and unauthorized access to the information
(Talet, Mat-Zin, & Houari, 2014).

Risk management (Talet, Mat-Zin, & Houari, 2014) is a process consisted of (1) identify
vulnerabilities and threats to information resources which are used by the organization in achieving
business objectives, (2) conduct a risk assessment to determine the probability and the impact, and (3)
identify the various controls that might be done to reduce the risk to an acceptable level. Many
approaches that can be used in identifying risks. A literature review which is conducted by
Sarigiannidis and Chatzoglou (2011) said that there are four approaches to the identification of risk,
namely: (1) ad-hoc approach provides an assessment of the risk when the first symptoms appear on the
project. (2) Informal approach involves the discussions with people involved with the project either
directly or indirectly on some of the issues emerging risks or risks that might appear. (3) Periodic
approach involves the use of repetitive procedures for the identification and specification of risk. (4)
Formal approach identifiesthe risks and performs an evaluation of each risk.

Didraga (2013) found in his study that there are three approaches that can be used in IT project
risk management. They are: (1) evaluation approach answers the questions of what can cause the
project to fail. This approach aims to make predictions in new projects that will be done by using the
information on the risks and causes of project failure that has been collected from previous projects.
(2) Management approach answers the question of how to handle the risks to prevent the failure of the
project. Risk management is required in this approach. Risk management is a process that consists of
certain stages starting from the identification, analysis, response, monitor, and control the risks. (3)
Contingency approach will embed risk management in the different processes and procedures.

Currently, there are any tools that can be used to provide a risk assessment on the project
(Sharif, Basri, & Ali, 2014), such as Capability Maturity Model Integration (CMMI), Risk Assessment
Visualization Tool (RAVT), Risk Assessment Tool (RAT), MATLAB, and Project Risk Assessment
Decision Support System (PRADSS).

METHODS

The method used is conducting a literature review of any published articles between 2010 and
2014. The articles used are any articles that discussed the risk, risk management in the project,
particularly the IT project and whether there is any relation between risk management and the success
of the project.

RESULTS AND DISCUSSIONS

The IT project in this discussion is associated with software development projects. IT projects
are characterized by a high level of risk. Advances in technology quite rapidly result changes in
business processes that can create unexpected shift, for example in terms of costs. This was revealed in
a study by Thakurta (2014) that the chance of a software project to fail is still high at 44%. Other
studies said that many IT projects fail (Talet, Mat-Zin, & Houari, 2014; Thakurta, 2014). IT projects
are potentially more likely to fail than other types of projects, such as the construction projects. The
main cause of IT project failure is the use of technology that is changing quite rapidly. Other reasons
for this failure include the complexity associated with software development and the uncertainty
characteristics of the project development environment. IT organizations need to keep the project to

Risk Management in Information … (Kornelius Irfandhi) 193 

meet the planned schedule and budget for IT projects susceptible to the failure, additional costs, and
schedule delays (Talet, Mat-Zin, & Houari, 2014).

IT projects can have different risk management. Risks were created from many factors
involved in the project. Each factor will depend on the type and the purpose of the project. One of the
classic problems that could potentially cause a risk in many IT projects is when the new technology is
developed when the project is running (Talet, Mat-Zin, & Houari, 2014).

Arnuphaptrairong (2011) conducted a study to determine the list of risks in software projects
from any literatures. The results showed that there are 27 software risks that are categorized into six
dimensions (see Table 1), namely user, requirements, project complexity, planning and control, team,
and organizational environment.

Table 1 Six Dimensions of Software Risks

Risk Dimension Software Risk

User 1. Users resistance to change
2. Conflicts between users
3. Users with negative attitudes toward the project
4. Users not committed to the project
5. Lack of cooperation from users
Requirements 1. Continually changing requirements
2. System requirement not adequately identified
3. Unclear system requirements
4. Incorrect system requirements
Project Complexity 1. Project involves the use of new technology
2. High level of technical complexity
3. Immature technology
4. Project involves the use of technology that has not been used prior
to project
Planning and Control 1. Lack of effective project manage technology
2. Project progress not monitored closely enough
3. Inadequate estimation of required resources
4. Poor project planning
5. Project milestone not clearlydefined
6. Inexperience project managers
7. Ineffective communications
Team 1. Inexperience team members
2. Inadequately trained developmentteam members
3. Team members lack specialized skill required by the project
Organizational Environment 1. Change in organizational management during the project
2. Corporate politics with negativeeffect on the project
3. Unstable organizationalenvironment
4. Organization undergoing restructuring during the project

Based on the literature study which is conducted by Arnuphaptrairong (2011), so it was found
that the largest frequency of software risk dimension on planning and control (27), followed by
requirement (17), user (14), team (9), environmental organizations (9), and project complexity (4).
Arnuphaptrairong (2011) also found that there are seven software risks which often occur, such as
misunderstanding in the requirement, lack of commitment and support from top management, lack of
user involvement, failed to get the commitment from the users, failed to manage the expectations of
the end users, and lack of effective project management methodologies.

194   ComTech Vol. 7 No. 3 September 2016: 191-199 

 The survey which is conducted by more than 1.000 organizations in Canada found that the
main reasons for IT project failure are inadequate risk management and immature project plans. Risks
faced by IT projects not only related to financial risk. IT project risks are divided into nine categories,
including financial risk, technology risk, security risk, information risk, people risk, business
processes risk, management risk, external risk, and success risk. Due to the interviews with IT
professionals from leading organizations in Western Australia, found that there are five most
important risks, namely lack of personnel, unreasonable project schedule and budget, unrealistic
expectations, incomplete requirements, and the delay in software delivery (Talet, Mat-Zin, & Houari,
2014).

A literature review which is conducted by Sarigiannidis and Chatzoglou (2011) showed that
the risk of software project consists of interrelated dimensions. These risk dimensions are project size,
technology experience, project structure, user, system requirement, project complexity, planning and
control, team, and organizational environment.

Chawan, Patil, and Naik (2013) stated that there are several types of risks that may be
encountered in a software project, namely: (1) technical risk includes the problems with the
programming language used, the project size, the project functions, platforms, methods, standards, or
process. Technical risk can be derived from the use of excessive constraint or less well-defined
parameters. (2) Management risk includes lack of planning, lack of management experience and
training, communication problems, organizational problems, lack of authority, and control issues. (3)
Financial risk includes cash flow, capital and budget problems, and Return on Investment (ROI). (4)
Contractual and legal risk include changing requirements, health and safety issues, government
regulations, and product warranty issues. (5) Personnel risk includes the staff performance, experience
and training problems, ethics and moral issues, staff conflicts, and productivity issues. (6) Another
resource risk includes the unavailability or delay in delivery of equipment and supplies, inadequate
equipment and facilities, unavailability of computer resources, and slow response time.

Based on their research about the project risk, these can be summarized as shown in Table 2.
Also, there is the most mentioned risk in their different research result, namely user requirement,
project complexity, planning and control, team, organizational environment, technology, and financial
risk.

Table 2 Summary of IT Project (Software) Risks

Authors Year IT Project Risks

Arnuphaptrairong 2011 User requirements, project complexity, planning and control, team,
organizational environment
Sarigiannidis & 2011 Financial risk, technology risk, security risk, information risk, people
Chatzoglou risk, business processes risk, management risk, external risk, and success
risk
Chawan, Patil, & Naik 2013 Project size, technology experience, project structure, user, system
requirement, project complexity, planning and control, team,
organizational environment
Talet, Mat-Zin, & Houari 2014 Technical risk, management risk, financial risk, contractual and legal risk,
personnel risk, other resource risk

The success of the project can generally be defined as a comparison between the project
planning and the final outcome of the project (time, budget, and requirements). When all is appropriate
or even better than the planning, the project was successful. The success of the projectis the same for
every stakeholder who are involved in the project.

Risk Management in Information … (Kornelius Irfandhi) 195 

 Risks in the project can be managed by making and provide a list of the relevant risk to the
project based on the impact on the success of the project. A poor requirement also can be the cause of
the failure of the project (Bakker, Boonstra, & Wortmann, 2010). Many IT projects are experiencing
the uncertainty in the success of the project. Determining what can be delivered in the project at the
beginning of the project is not easy as seen in Figure 1. The changes in project requirements will
almost certainly occur. These changes may be a risk of the project.

Figure 1 Definition of the Success of the Project

(Source: Bakker, Boonstra, & Wortmann, 2010)

Junior and Carvalho (2013) did a research aimed to know whether there is a relationship
between risk management and the success of project. Their research involved the survey of 415
professionals involved in project management (between 2008 and 2009) at any levels of complexity in
different industry sectors in four Brazilian states. The sample unit and respondents were selected based
on the ease of access and their availability to respond to this research. There are four hypotheses to be
tested, namely: (1) H1: Project risk management does not influence the perception of project success.
(2) H2: Company revenue does not influence the perceptionof project success. (3) H3: The type of
project does not influence the perceptionof project success. (4) H4: The presence of a risk manager
does not influenceproject success.

Table 3 Junior’s and Carvalho’s Hypotheses Testing Result

Hypothesis Description Result

H1 Project risk management does not influence the perceptionof project success Rejected
H2 Company revenue does not influence the perceptionof project success Accepted
H3 The type of project does not influence the perceptionof project success Accepted
H4 The presence of a risk manager does not influenceproject success Rejected

Risk managers become an essential element in the project risk management. Risk managers
are the people who are entitled to perform the risk management (to identify, assess, and control the
risks). Based on the results of hypothesis testing that has been performed by Junior and Carvalho
(shown in Table 3), it can be concluded that the presence of risk management and risk managers
influence the success of the project. The project is said to be successful when the result of the project
is appropriate or better than the planning (shown in Figure 1). A good risk management can lead the
project to its success, only if the risks and how to control them in project have been identified before
the project was started.

196   ComTech Vol. 7 No. 3 September 2016: 191-199 

 The study which is conducted by Sarigiannidis and Chatzoglou (2011) stated that the
definition of the software projects performance can be divided into two main categories, namely: (1)
subjective performance which refers to the efficiency and effectiveness of the software when the
project has been completed according to the people involved in the project. (2) Performance objective
includes some quantitative metrics such as the advantages in terms of cost, effort, and schedule.

The above performance categories should be used together to measure performance that is
quite important for software developersand users (Sarigiannidis & Chatzoglou, 2011).

Didraga (2013) made a research model (shown in Figure 2) to determine the relationship
between risk management and IT projects performance. Therefore, Didraga (2013) made two major
hypotheses to be tested related to his research, namely: (1) the first hypothesis (H1): Risk management
practices are correlated with the subjective performance of IT projects. (2) The second hypothesis
(H2): Risk management practices are correlated with the objective performance of the projects, as seen
in Figure 2.

Figure 2 Didraga’s Research Model

(Source: Didraga, 2013)

Target of the population consisted of project managers, IT managers, and IT Analyst at IT

companies in Romanian. The samples derived from convenience method and snow-ball method on a
database of 361 companies between June 10, 2012, and July 11, 2012.

Didraga (2013) used the online questionnaire instrument by using Google Docs and processed
it using Microsof Excel 2007 and IBM @ SPSS 19. He received 108 responses from 72 companies.
The variables used were risk management practices used in IT projects, the subjective performance,
and the objective performance of IT projects. Each of these hypotheses to be tested by Didraga (2013)
has several sub-hypotheses and different sub-hypotheses results. The results can be seen in Table 4
and Table 5.

Table 4 Didraga’s First Sub-Hypotheses Testing Result

Hypothesis Description Result

H1a Risk identification is correlated with the subjective performance of the IT project Rejected
H1b Risk analysis is correlated with the subjective performance of the IT project Accepted
H1c Risk response planning is correlated with the subjective performance of the IT project Rejected
H1d Risk response monitoring and control are correlated with the subjective performance Accepted
of the IT project

Risk Management in Information … (Kornelius Irfandhi) 197 

 Table 5 Didraga’s Second Sub-Hypotheses Testing Result

Hypothesis Description Result

H2a1 Risk identification is correlated with cost overrun Rejected
H2a2 Risk analysis is correlated with cost overrun Rejected
H2a3 Risk response planning is correlated with cost overrun Rejected
H2a4 Risk response monitoring and control are correlated with cost overrun Rejected
H2b1 Risk identification is correlated with schedule overrun Rejected
H2b2 Risk analysis is correlated with schedule overrun Rejected
H2b3 Risk response planning is correlated with schedule overrun Rejected
H2b4 Risk response monitoring and control are correlated with schedule overrun Rejected
H2c1 Risk identification is correlated with effort overrun Rejected
H2c2 Risk analysis is correlated with effort overrun Rejected
H2c3 Risk response planning is correlated with effort overrun Rejected
H2c4 Risk response monitoring and control are correlated with effort overrun Rejected

Based on Table 4 and Table 5, Didraga (2013) concluded that the first hypothesis (H1)
partially accepted that risk management (risk analysis and risk response monitoring and control) has a
relationship with the subjective performance of IT projects. While the second hypothesis (H2) was
rejected because of risk management practices, have no relationship with the objective performance of
IT projects in terms of cost, schedule, and effort which were required in IT projects. A good risk
management doesn’t affect the cost, schedule, and effort overrun. Cost, schedule, and effort are
correlated and defined in the project planning. Conversely, a good risk management (in the context of
risk analysis and risk response monitoring and control) can lead the project to achieve its subjective
performance.

CONCLUSIONS

IT projects (in the context of software) have the risks and the uncertainties. Risks can be
mitigated, managed, and maintained in accordance with the planning and assessment. The common
risks in several literatures might be the user requirement, project complexity, planning and control,
team, organizational environment, technology, and financial risk.

The processes in risk management begin with identifying vulnerabilities and threats to
information resources, risk assessment, andrisk control identification that might be done to reduce the
risk to an acceptable level. If the risk management is applied properly, the chance of the success of the
project is done can be increased. This was proven through Junior’s and Carvalho’s research (2013) in
Brazilian. Their study found that the presence of risk management and risk manager influence the
success of the project. Meanwhile, Didraga’s study (2013) in Romanian showed that risk management
(especially risk analysis and risk response monitoring and control) has a relationship with the
subjective performance of IT projects.

Through this study, it was found that there is a relationship between risk management and the
success and the subjective performance of IT projects. The project is said to be successful when the
result of the project is appropriate or better than the planning. A good risk management can lead the
project to its success, only if the risks and how to control them in project have been identified before
the project was started. A good risk management also can lead the project to achieve its subjective
performance. Conversely, a good risk management doesn't affect the cost, schedule, and effort overrun
because these three are correlated and defined in the project planning.

198   ComTech Vol. 7 No. 3 September 2016: 191-199 

 REFERENCES

Arnuphaptrairong, T. (2011). Top Ten Lists of Software Project Risks: Evidence from the Literature
Survey. Proceedings of the International Multi Conference of Engineers and Computer
Scientists, 1. Hong Kong.

Bakker, K. D., Boonstra, A., & Wortmann, H. (2010). Does risk management contribute to IT project
success? A meta-analysis of empirical evidence. International Journal of Project
Management, 28(5), 493-503.

Chawan, P. M., Patil, J., & Naik, R. (2013). Software Risk Management. International Journal of
Advances in Engineering Sciences, 3(1), 17-21.

Didraga, O. (2013). The Role and the Effects of Risk Management in IT Projects Success. Informatica
Economica Journal, 17(1), 86-98.

Junior, R. R., & Carvalho, M. M. (2013). Understanding the Impact of Project Risk Management on
Project Performance: an Empirical Study. Journal of Technology Management & Innovation,
8(6), 64-78.

Sarigiannidis, L., & Chatzoglou, P. D. (2011). Software Development Project Risk Management: A
New Conceptual Framework. Journal of Software Engineering and Applications, 4(5), 293-
305.

Sharif, A. M., Basri, S., & Ali, H. O. (2014). Strength and Weakness of Software Risk Assessment
Tools. International Journal of Software Engineering and Its Applications, 8(3), 389-398.

Talet, A. N., Mat-Zin, R., & Houari, M. (2014). Risk Management and Information Technology
Project. International Journal of Digital Information and Wireless Communications, 4(1), 1-
9.

Thakurta, R. (2014). Managing Software Projects Under Foreseen Uncertainty. Journal of Information
Technology Management, 25(2), 40-52.

Risk Management in Information … (Kornelius Irfandhi) 199