IT projects rarely stand alone. They usually represent a major deliverable of a wider enterprise programme and their success or failure can have a massive impact on the business. Against a backdrop of interminable high-profile project failures – the Ministry of Justice has just given up on a failed £56m IT project – the need for a risk management approach to IT projects is becoming pressing.
Many failures in IT projects have their roots in poorly defined requirements, lack of stakeholder engagement, changes in staffing and technology with the passing of time and unsolicited changes that move the goalposts. Yet these issues are nothing new. The challenges of long, complex IT projects are well known; issues that have been identified over and over again would have been identified initially as risks if mature risk management practices had been in place.
The concept of risk management is gradually seeping into organisations' approach to IT projects. However, rather than being a bolt-on, it needs to be an integral part of the organisation's culture. Current best practice is to treat risk as an uncertainty that could be a positive opportunity or a negative threat.
IT projects face a number of challenges in addressing risk that the Royal Academy of Engineering and the BCS included in their definitive list of Challenges of Complex IT Projects. Too often there is no clear link between the project and the organisation's key strategic priorities, including agreed measures of success.
An absence of clear senior leadership, combined with a failure to engage with stakeholders to understand their requirements and perceptions of risk, have presented challenges to many IT projects from the start. Lack of training, knowledge and formal risk tools and techniques are also major challenges; as a starting point it is essential to have an understanding of the organisation's level of maturity in its management practices and to identify areas where improvements are required.
Best practice risk management
IT projects are notorious for coming in too late or costing too much. Lack of defined objectives is another common cause of project failure. If objectives are ill defined, this in itself is a source of risk. The process of risk management addresses that – as a starting point it requires documented objectives. Once objectives are defined, the next step is to look at the threats that would cause those objectives to be defeated or the opportunities that would support the completion of them.
A risk-aware organisation should create a risk framework that includes a defined risk-management process enabling IT projects to be implemented with a full understanding of the inherent risks. It is imperative to set clear goals and objectives right at the start of a project and agree these with programme sponsors. This is part of the first step in the process – "identifying context", which also includes gaining a clear understanding of stakeholders' requirements, setting expectations and planning how to maintain the engagement of sponsors.
IT projects can be long and complex, which could give rise to risks caused by the inevitable turnover of resource and loss of pace as new technologies emerge. Commonly, at the beginning of a major IT project the sponsor is excited about it but their interest may wane as other issues capture their attention. Continued commitment is key, however. There are likely to be disagreements at a later stage between suppliers, users and other stakeholders. Someone has to make the call and this is just one of the sponsor's many responsibilities.
IT projects also suffer from the risk of uncontrolled changes in scope. Often when software solutions are in development, stakeholders will ask for what may look, superficially, like a small tweak. But the change may be complex to code or have wider repercussions. An enlightened organisation will put in place a clearly defined change control procedure that assesses the impact of a change request on time and cost and so on. But they forget to ask, ‘does this present a risk?' – a threat or opportunity.
Poor estimation of time and cost has torpedoed many an IT project. Appropriate estimating techniques should be clearly documented in each project risk management strategy. With risk at the heart of IT project management, supported by practical risk management tools, CIOs will be in a good place to bring in projects painlessly, on time and on budget, whatever life throws at them on the way.
Dennis Sheehan MAPM, MCMI is a senior training consultant at the ILX Group