Chapter 7: Risk Management in Information Technology Projects

The Nature of Risk

The life of a project manager is a life of conflict. In truth, project management is conflict management. The project manager's job is to smoothly negotiate the obstacles encountered during every phase of the project's life. If there was no risk or conflict in a project, there would be no need for a project manager—project management would become an administrative task. But risk is two-sided; there is the possibility of loss and the potential for gain. The risks in IT projects generally exhibit significant extremes of both sides—the losses are great if the risk event occurs unabated, but the gains can be immense if the risk is planned for and eliminated, or at least mitigated and made manageable.

This chapter discusses the basic definitions of risk and risk management. A risk management model and process are presented that will prepare the organization to plan for and reduce IT risks.

Risk Defined

Risk is characterized by three components:

1. The event (i.e., what can happen to the project, good or bad?)

2. The probability of event occurrence (i.e., what are the chances the event will happen?)

3. The impact to the project (i.e., what is the effect on the project, good or bad, if the event actually does occur?)

Types of Risk

There are two types of risks—business and pure, or insurable, risk. Risk is not necessarily negative; it may be an opportunity for gain. The key to risk management is recognizing the potential risk events and whether they can be directed and controlled for a neutral or positive effect on the project. If the risk event can only lead to negative impacts, then it should not be attempted; it should be avoided, transferred to someone else, or transferred to another organization.

Business Risks

A business risk is one that provides an opportunity for gain as well as for loss. An example of a business risk is a customer change to the project scope. The change might represent a risk to the provider because it involves skills or expertise the company does not possess. However, the scope change might produce additional revenue if the company can hire additional resources, team with another company, or hire a vendor to provide the necessary expertise. Business risks are the risks that can be managed. Management of insurable, or pure, risks should never be attempted.

Insurable or Pure Risks

Insurable risks, sometimes called pure risks because they offer only opportunities for loss, are risks that the organization should never take on. Incredibly, IT organizations routinely attempt such projects because of the prevailing view that everything can be fixed with software.

Some examples of insurable risks are natural disasters such as fires, floods, hurricanes, and earthquakes. For instance, if a company is located in a high-risk area for hurricanes, it will insure against such loss. But there are other, more subtle types of pure risk. Often a company will attempt a project because the major project requirements are within the company's capability, even though one or two other requirements may not be. Since they are qualified to accomplish the majority of a project's requirements, many companies make the assumption that they will be able to complete the rest. Mature, or learning, organizations recognize these disastrous situations and plan for them. These organizations have effective project selection and risk management processes. The project selection process was discussed in Chapter 3.

The risk management process is best understood through the use of a risk management model, such as the one discussed below. This risk management model can be applied in any organization and used in any industry.